Is Marriott’s Promise to Pay for New Passports Impossible?
Jeff Edwards December 11, 2018
According to a new report from Fortune, although officials at Marriott International promised to pay for new passports for those guests whose passport numbers were compromised in the recently announced Starwood Preferred Guest data breach, the cost of making good on that pledge would almost certainly bankrupt the company.
When Marriott International announced that a massive data breach occurred for Starwood Preferred Guests (SPG), the hotel giant promised that it would take extraordinary steps to help make sure customers didn’t lose money or fall victim to fraud in wake of the personal and financial information of a staggering 500 million guests being exposed by the hack. According to Marriott officials, for more than 327 million of those guests, the compromised information included “some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128).”
The company immediately devoted considerable resources to setting up a dedicated help line and providing fraud protection services for affected customers. Perhaps more importantly, officials pledged to devote even more resources to making those customers whole again – including the possibility of paying to replace passports which had been compromised in the hack.
“We deeply regret this incident happened,” Marriott International CEO Arne Sorenson said in an initial statement. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward. Today, Marriott is reaffirming our commitment to our guests around the world. We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated website and call center. We will also continue to support the efforts of law enforcement and to work with leading security experts to improve. Finally, we are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network.”
Now, however, some analysts say it would be nearly impossible for Marriott International to make good on its promise to replace the passports of SPG hacking victims. Fortune’s Robert Hackett points out that shelling out $110 for each of the 327 million guests whose passport numbers may have been hacked would amount to a payout of billions of dollars – an amount more than the total value of the entire company.
[Photo: Shutterstock]
People are also missing the point that it was not 327 million people but reservations. How many people had multiple reservations in that total. I would assume I have 50- 100, just with the time frame involved and the number of hotel stays I had. And as person that goes overseas often unless SPG added my passport info I did not give it to them, since I physically check in to most hotels. Unlike my airline where I use online check in and need to have my passport info.
Bit of an American centric view of the world. This data breech was on the Starwood company, of which's properties around 75% are not in US locations. Are all the guests American? Not likely, hence the passports certainly won't cost $110 to replace. You can double that in some countries, and don't forget the inconvenience and hoop jumping required to get a new passport, and potentially replace/change any active visas in it. Will Marriott pay for it anyway? Not likely. This is nothing more than public facing PR in the face of a huge data breech. Very common in lots of countries to present your passport at check in, sometimes government mandated (in China for example), sometimes as a proof of ID. On the credit card details side of things, interesting to see that they are not offering a free Experian Protect My ID subscription to anyone, unlike Cathay Pacific and British Airways have with their respective data breech's.
"shelling out $110 for each of the 327 million guests whose passport numbers may have been hacked" Because, of course, every country whose citizens were affected by the data breach charges US$110 for a new passport.
Why would they need your passport number to begin with? Are there countries that require hotels to collect this information?
The analysts assume that all 325 million shared their passport number with the hotel chain? That seems an interesting assumption. I wonder what the percentage is. Maybe it was just Mr Hackett from Fortune. Is that number publicly available?