On Sunday, Democratic Sen. Chuck Schumer (D-NY) asked Marriott International to foot passport replacement fees for consumers impacted by the hospitality chain’s data breach.
Days later, company representatives said they’d implement a tentative program to recompense affected customers.
The attack on Marriott’s Starwood systems, which went undetected for nearly four years, compromised the personal information of some 500 million guests. The Washington Post writes that the data extracted by hackers includes mailing and email addresses, flight information and birthdates.
But most troubling, claims the Post, could be hackers’ acquisition of passport information.
While Marriott’s declined to state exactly how many passport numbers were stolen in the breach, the company’s indicated ‘up to’ 327 million customers may be affected.
Schumer’s demanded immediate action, saying stolen passport information could easily lead to full-blown identity theft and impersonation.
“Marriott must personally notify customers under the greatest security risk immediately and then foot the bill for those folks to acquire a new passport and then foot the bill for those folks to acquire a new passport and number should the request it,” Schumer said in a Sunday statement. “Right now, the clock is ticking to minimize the risk customers face and one way to do this is to request a new passport and make it harder for thieves to paint that full identity picture.”
Bizjorunals.com reports that, midway through the week, Marriott acquiesced and agreed to recompense at-risk customers. Replacement passports—at least those obtained in the United States—cost $110.
But a statement provided by Marriott spokeswoman Connie Kim to the Washington Post suggests the company may only pay for guests who’ve already endured identity theft.
“We are setting up a process to work with our guests who believe that they have experienced fraud as a result of their passports being involved in this incident,” Kim said. “If, through that process, we determined that fraud has taken place, then the company will reimburse guests for the costs associated with getting a new passport.”
Security experts have criticized the Marriott for missing several opportunities to detect the hack. Their observations have prompted congressional leaders to call for better privacy protections and more corporate accountability.
“Checking into a hotel should not mean checking out of privacy and security protections,” Sen. Edward J. Markey (D-MA) said. “Preventing massive data breaches isn’t just about protecting privacy, it’s also about protecting our pocketbooks. Breaches like this can lead to identity theft and crippling financial fraud. They are a black cloud hanging over the United States’ bright economic horizon.”
Marriott, reports the Post, has set up a website and call center to answer questions at info.starwood.com. The company is e-mailing guests they believe to have been affected on a ‘rolling basis.’