Data Breach at Marriott Exposes Millions of Passport Numbers

A hack of the Marriott Hotels may put more than domestic travelers at risk.

According to The Washington Post, data at the hotel chain was breached on November 30, 2018. The report notes that an unauthorized party hacked Marriott since 2014. The data breach is already considered the largest personal record theft in history.

While the data from one hotel would be dangerous enough, apparently the hack exposed information from several chains. Initial reports showed almost 500 million guests exposed by the breach. An investigation in the month since the breach lowered that number to 383 million.

For foreign travelers, this could affect their travel documents.

The massive breach exposed guests’ passport numbers. On January 4, Marriott said 5.25 million passport numbers were lost in the hack. The data also included names, addresses, credit card numbers, travel histories.

To be affected, guests would have needed to make reservations at Starwood hotel brands between 2014 and 2018. Some of the most common hotels in the breach include Sheraton, Westin, Four Points and St. Regis.

Hacked passport information is a growing risk for travelers.

Any frequent travelers knows the difficulty in replacing a passport. That difficulty makes passport information even more valuable for hackers. Once they’ve attained the information, they can sell the info on a digital black market.

John Gunn, the chief marketing officer at a cybersecurity firm called OneSpan, spike to Politico about this kind of breach. “This may be an emerging trend with hacking organizations, to target large pools of passport data,” said Gunn.

Gunn added that passport numbers (much like driver’s license numbers) are one of the more sensitive elements of information.

So far, no one really knows who caused the data breach for. To date, it doesn’t appear that the Marriott network was affect by the attack. The Marriott said that portions of the reservation database had to be copied and encrypted. The company was finally able to decrypt the information on November 19, when the breach was first discovered.

Officials are also still unsure what the hackers plan to do with the passport numbers. Although still investigating, the U.S. State Department said travelers whose data was hacked shouldn’t apply for a new passport yet.

The department offered some other safety information for those that were affected.

They cautioned to refrain from reporting their passport number stolen unless a physical copy of the document was lost or stolen. Just possessing the passport numbers doesn’t allow the thieves to travel abroad. They would still need other officials documents like a birth certificate, social security number or photo to replace the passport. But, if a physical passport was stolen, the agency strongly recommends reporting the theft.

Do you need a hand taking care of your own travel documents? Passport Health can help! Give us a call at or take a look at any of our other passport and visa services.

Written for Passport Health by Jerry Olsen. He has over 15 years of combined experience as a writer and editor in Salt Lake City. Jerry’s writing topics range from health care, travel, life science to medical technology and technical writing.