Originally Posted by
phltraveler
The info.starwoodhotels.com site also states that the breach was in the
Starwood guest reservation database. Some countries like the UK require hotels to take down passport information and retain it for a minimum of 12 months (
Source).
This is actually common in a lot of the EU.
So even if the 3TA didn't send passport info to Starwood/Marriott or the Marriott.com/Starwoodhotels.com sites didn't have the passport info saved - if you stayed at Starwood hotels in the affected period, it may have been added to the reservation record by the front desk clerk anyways.
Although I can't control what happens to many aspects of my personal info, I try to minimize the damage when some of it is compromised. Are hotels required to keep the passport info in a readily accessible database or can it be stored offline?