Marriott hack update: Hotel now admits hackers got passport numbers


Originally published at:


Why in the world were they asking for passport numbers, and why would anyone in fact give them that? Unless I’m at an international border or booking an international flight I’m not giving that information to anyone!


I could see some countries requiring a passport number on file for foreign guests, due to local laws.


I thought we’d already heard they got passport numbers on the original story. What’s the new part of the news here?

I too am astounded that a hotel chain would be collecting passport numbers. Even if it’s to comply with a local requirement, then they should collect those only in those jurisdictions and then destroy them as soon as they’re no longer needed. Why are these retained along with all this other data?

Data is a liability, not an asset.


Most other countries require a passport number when you check into a hotel and don’t have a local ID document


I just remembered, my brother and I one time stayed at a Marriott in Tokyo. Had to present both our passports when we checked in.


All over eastern Europe, in hotels, hostels, or even renting an apartment, locals require foreigners to surrender your passport, or for apartments, bring a photocopy.


And why wasn’t the personal data of customers not encrypted whilst at rest?

I’ve put in a message to Marriott asking them to tell me what data of mine was affected. Under the U.K. DPA they have 30 days to tell me otherwise the Information Commissioner can decide if they want to start a DPA2018 action against them. And that potentially brings them under the remit of GDPR.

I suggest any other U.K. BoingBoingers who have had a message from Marriott about their accounts does the same.



Shouldn’t corporations be fined $10 or even better $100 per personal information that is leaked to a hacker.
Which means they would pay a fine of 38 billion dollars.


This topic was automatically closed after 5 days. New replies are no longer allowed.