On Friday, January 4, 2019, Marriott International, Inc. (“Marriott”) revealed that 5.25 million unencrypted passport numbers and 20.3 million encrypted passport numbers were included in the data stolen as part of the massive data breach of November 30, 2018. Although Marriott originally disclosed that the breach of its Starwood guest database, which includes Westin, W and Sheraton, included information such as e-mail addresses, credit card data and passport information, this new revelation increases lingering espionage concerns associated with the breach. Passport numbers serve as unique identifiers to those holding the passport. As such, these numbers may be used by hackers to track the travel itineraries of cyberattack victims, many of whom may be government officials or business executives.
A United States intelligence official and other sources familiar with the attack investigation have speculated that China may be behind the attack. The techniques used by the hackers are consistent with past cyberattacks sponsored by the Chinese government. This speculation adds a troubling aspect to the attack. If the Chinese government gained access to the passport information compromised in the attack, it would be able to increase the efficacy of future attacks by honing its espionage assets in on individuals of particular importance.
Marriott’s newest disclosure may affect its legal exposure
Multiple lawsuits seeking class-action certification were filed when news of the data breach originally broke. One such class action is seeking $12.5 billion in damages, which is equivalent to $25 for each of the 500 million cyberattack victims. This figure allegedly reimburses the victims for the costs associated with cancelling credit cards compromised in the attack. Marriott may expect to see its legal exposure rise along with the newest disclosures due to the particularly sensitive nature of passport numbers and the additional burden placed on victims in determining their individual exposure and obtaining new passport information.
Response from Capitol Hill
Lawmakers in the United States cited the Marriott data breach as another example of the increasing need for federal privacy laws. Among other things, lawmakers have called for “data minimization,” which generally relates to safeguarding potential cyberattack victims by requiring companies to discard sensitive consumer data that the companies no longer need. As the scale of the breach and the nature of the data compromised continue to come to light, we can expect to see renewed calls from lawmakers in favor of federal privacy laws.
Marriott’s January 4, 2019, press release may be found here.