Marriott says it will pay for new passwords for any Starwood hotel customers impacted by the breach of its reservation system, which began in 2014.
On Friday, the hotel chain disclosed that as many as 327 million people’s passport numbers may have been exposed in the breach. In obtaining passport numbers, bad actors could create false passports to enter the country or open financial accounts, Francis Dinha of security platform OpenVPN told MarketWatch.
To assuage customer concern of this happening, Marriott has now promised to reimburse affected guests for the cost of getting a new passport.
“As it relates to passports and potential fraud, we are setting up a process to work with our guests who believe that they have experienced fraud as a result of their passports being involved in this incident,” a Marriott spokesman told MarketWatch. “If, through that process, we determine that fraud has taken place, then the company will reimburse guests for the costs associated with getting a new passport.”
Pressure to pay for passport replacement
After Marriott admitted to the massive breach, Sen. Chuck Schumer (D- NY) and other lawmakers said the company should pay for passport replacements, which cost $110 for adults.
“Right now, the clock is ticking to minimize the risk customers face and one way to do this is to request a new passport and make it harder for thieves to paint that full identity picture,” Schumer said in a statement Sunday. “Marriott must personally notify customers under the greatest security risk immediately and then foot the bill for those folks to acquire a new passport and number should they request it.”
Security experts say customers who stayed at the chain’s Starwood-branded hotels should change their passwords, set up two-factor authentication, and keep a close eye on their financial records. Customers may even want to consider freezing their credit as a safety precaution.
The Marriott hack is one of the largest in history, ranking second only to a breach that impacted Yahoo in 2013, in which hackers stole the personal information of three billion users. Hours after disclosing the breach, the hotel chain was hit with two lawsuits. One lawsuit is seeking $12.5 billion in costs and damages.