Your Passport and Your Identity
A recently-discovered data breach of the Starwood brands of Marriott International’s hotels has left consumers and security advocates alike scratching their heads. At the heart of this confusion surrounding the theft of data for around 25 million guests is passport security, or more accurately, the need to safeguard both your physical document and its number. So assuming that your passport was affected, what do you do?
As noted in the newest release published on January 4th, 2019, “Marriott now believes that approximately 5.25 million unencrypted passport numbers were included in the information accessed by an unauthorized third party. The information accessed also includes approximately 20.3 million encrypted passport numbers.” According to numerous sources including the US State Department, your passport number on its own is not a highly valuable piece of information for a hacker. However, when combined with some of the other data points that were compromised in this breach, your number could possibly be used to craft a more complete profile for identity theft – or allow for an identity thief to generate a synthetic identity with more validity.
First, if the physical document is lost or stolen, that is absolutely an urgent matter. You should report it to the proper authorities—namely the State Department who issues them—so that there is a record of the missing document. If it is used for identity theft or fraud, you will have already filed it as missing.
But in the case of this data breach where only the number was compromised, your recourse is a little different:
1. If only the number and not the actual document is stolen, don’t be too quick to replace it. Since the number by itself does not directly result in identity theft, you may not be given a new passport free of charge. That means you’ll pay for the new document out-of-pocket.
In the case of the Marriott breach, if you can show proof that your passport was the cause of fraud or identity theft, they are offering to replace it. Read the specifics very carefully to understand what your recourse is in this particular case.
2. If the document was set to expire in the near future AND you were planning to replace it, there’s no need to wait if you can demonstrate that it was compromised. However, you may need to provide the notification letter or email from Marriott International to show why you’re requesting a new passport early.
3. When you decide to replace your passport, it will contain a new number (unlike driver’s licenses that retain their issue number, for example), but that doesn’t mean someone couldn’t still use your old number to piece together your identifying information. You will still need to monitor your accounts—especially travel-related accounts—carefully.
This breach also serves as a cautionary tale about oversharing: unless you are required to turn over a piece of identifying information, think twice about submitting it. Many consumers take domestic flights and stay in hotels without even owning a passport; just because you have one doesn’t mean you have to provide the number every time it’s an option.
Finally, as if this wasn’t worrisome enough, there’s another potential threat that could be looming: scams associated with passports. With any high-profile event, scammers crawl out from under their rocks to take advantage of the public. Be wary of any email, text, social media post or other communication that plays off of fears surrounding compromised passport numbers.
Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.