Marriott breach: What to do when hackers steal your passport number

There's good news, and there's bad news.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce | Amazon | Earned wage access | Online marketplaces | Direct to consumer | Unions | Labor and employment | Supply chain | Cybersecurity | Privacy | Stalkerware | Hacking Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
4 min read
A US passport

Hackers stole passport numbers as part of their breach of a database owned by Marriott.

Getty Images

It's a detail that could make you raise an arched eyebrow. Among the information hackers stole from a database owned by Marriott was a trove of travelers' passport numbers. That sounds like a very bad thing, especially when you consider that the breach affected as many as 500 million people, and the passport numbers were stolen from up to 327 million of those victims.

The truth is, it's bad -- but not as bad as you might think. And the good news is, you can do something about it. 

The bottom line is that if your passport number is stolen, it's one more piece of stolen information about you that criminals can buy on the internet's black markets. That can help criminals steal your identity or commit other types of fraud. After another year of data breaches feeding more of our information into criminal forums, stolen passport numbers are just the cherry on top of 2018's data breach sundae. 

"Knowing this passport number is tied to an individual is valuable," said Brian Stack, vice president of dark web intelligence at Experian.

Good news, bad news

So here's why it's bad if your passport number got caught up in the Marriott breach. Criminals can use your passport number, along with your name and several other points of data that were in Marriott's database for customers of its Starwood division, to impersonate you online. 

They could also use the number to create a more authentic forgery, something that could be worth thousands of dollars on the black market, Stack said.

Here's why it's not as bad as it could have been: Your passport number is not the same thing as your actual passport.

"There is a difference between having your passport number stolen and actually having the physical document stolen," said Eva Velasquez, president of the Identity Theft Resource Center. "The risk is much greater if the physical document is lost or stolen."

The reason forged passports are worth so much money is because they're hard to make. It takes expertise and time. Criminals have easier ways to make money, Velasquez said.

On the plus side, US citizens concerned about their passport number being used for malicious activity need not worry. A passport number can't be used to access State Department records or obtain a citizen's government records, according to a State Department spokeswoman. Also, international travel is impossible on only the passport number; travelers must present an official, physical passport book or card when entering the US from a foreign country.

What you can do

Still, it's one more piece of information about you that criminals could use to try to impersonate you. So if you're concerned about criminals abusing your passport number, there are steps you can take.

First, make sure your passport number was actually stolen in the Marriott breach. The company is still sending out notifications to customers whose data was stolen, and those notices should be specific about what data was taken. 

In the meantime, ask yourself if you traveled internationally when staying at a Starwood property, which includes Sheraton and Westin hotels. If you didn't, it's unlikely your passport number was even in the database, Velasquez said.

If you've taken those steps and you're sure your passport number was breached, your one option is to get a new passport. Unfortunately, you'll have to pay for that. But new passports come with new numbers and your old number will become invalid.

Watch out for scams

Criminals have other ways to make money off of a data breach. That includes trying to trick you into giving up even more personal data. That's why you should be especially cautious of any emails you receive from senders claiming to be Marriott, both Velasquez and Stack said. 

Scammers will often send fake "breach notification" emails to thousands of people in the aftermath of a data breach. The emails warn recipients they were affected by the breach and then ask them to follow a link or open a document. Malicious links and documents can compromise your computer, letting hackers into your system. The scammers might also ask for more information, such as names, passwords, credit card numbers and more. 

So don't click on links or documents in those emails. Instead, type in the website of the organization that you think is trying to contact you, like your bank or favorite hotel chain. Then you can log in from their legitimate website and see if they've sent you any official communications.

And above all, stop and think before you share personal information online.

"The scammers will come up with creative ways to monetize this event and perpetrate a scam in ways that you and I have not thought of," Velasquez said.

CNET's Holiday Gift Guide: The place to find the best tech gifts for 2018.

Security:  Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.