Hacker News new | past | comments | ask | show | jobs | submit login
Marriott Concedes 5M Passport Numbers Lost to Hackers Were Not Encrypted (nytimes.com)
360 points by adriand 3 months ago | hide | past | web | favorite | 253 comments

Will they be penalized? Was Equifax ever penalized?

The cost to them so far is some bad PR which will probably blow over. Especially for companies like Marriott and Equifax which have near monopolies (Marriott owns several smaller chains like Starwood and Ritz Carlton), this probably won't affect their customer loyalty. Particularly when it's safe to assume that the other chains are probably not doing a better job.

Marriott currently has no incentive to spend money to do a good security audit.

They had incentive to do their recent migration of loyalty programs, since Starwood's program was notably generous.

>Will they be penalized? Was Equifax ever penalized?

No and no.

Our Federal government is beholden to special interests, so no real legislation or regulation addressing this issue will ever occur. If Equifax (a brace of our economy) didn't receive the death penalty for what they were responsible for, nothing will occur to any future company.

I've been on the inside of some leaks and associated internal investigations. There may not be an external penalty, but these are a serious internal headache. You often have to bring in external people, who then always see the worst in everything. The board has to be kept up to speed. The meetings and late nights pile up. The absence of external penalty doesn't mean that those on the inside don't care. I'd say that most corporate infosec is motivated primarily by the desire to avoid internal investigations. Avoiding the need to report anything to shareholders and/or corporate partners comes second. External penalties is a distant third.

That’s only motivation for InfoSec, though. The CEO has to be motivated to practice good security by the bottom line implications; if having a security incident means less profit, a conscientious CEO will make sure to mitigate that risk, or at least factor it into the tradeoffs of what to do.

Without any significant monetary threat, the ultimate cost of security breaches to a company isn’t truly a big deal.

Marriot likely leaked European customers information also, so there will likely be a penalty. Probably pretty small though.

I just checked, and it looks like Equifax recovered to 95% of its pre-hack peak within about a year. (July 2017 peak of 145, then 137 last September, now 95.)

Sorry for the long link: https://finance.yahoo.com/chart/EFX#eyJpbnRlcnZhbCI6IndlZWsi...

One of our customers who works in the security space was discussing how 'professional' the CC resale industry is. They have customer service centers, will give you refunds if the CCs don't work, etc.

Really insane. I expected it to be shady but apparently it's a big business now!

I've never understood how it is that we can't detect and prosecute organizations when they're big enough to provide individualized customer support over the phone.

Are you referring to the credit card hackers or those who didn’t make much effort to secure customer details? Snark aside, both deserve consequences.

I know corporations should do better, but these attitudes strike me as victim blaming. End of the day, this data was stolen.

I see the victim as the customer, not the corporation. Yes they had data stolen from them, but if there is no consequence and it wasn’t their data, are they the victim?

It probably has better security.

Could a class action lawsuit on behalf of the 5M people who had their passport numbers stolen penalize them for punitive damages somehow, perhaps?

Crossing borders is stressful enough as it is.

If there is now added worry that you might be flagged as a terrorist or lord-knows-what because some nefarious person now has your passport numbers and personal details... surely that must be worth something?

Good luck with your free year of credit monitoring and a check for $5.00.

The point isn't a personal payout, the point is to hold the negligent party responsible

That's what might happen if you allow Marriott to dictate the terms... not the other way around.

Given that they have EU customers I imagine that yes, they’ll be penalised.

GDPR is very recent - do we know exactly when the compromise was? If it was before GDPR came in, they might be able to weasel out of any potential penalty.

And logging passports of foreign visitors is the norm in the EU - I suspect the national security exemption would apply - be interesting what the European court of justice would say if asked.

I would not imagine even the legal requirement would reduce the safeguarding requirements nor allow an increase to the necessary retention period.

Exemption for being allowed to store them is arguable, but they could still be prosecuted under data protection.

We can look at their precautions or lack thereof and see if that constitutes negligence. But regardless of negligence, Marriot and Equifax were victims of criminals. Were the perpetrators ever identified and punished?

"Marriott currently has no incentive to spend money to do a good security audit."

I bet they've had good security audits.

In cases where the 'victims' are corporations, punishing 'victims' is totally acceptable. Don't let rhetorical conflation between between humans and corporations fool you.

Put another way:

Marriott is the victim of "cyber" crimes.

Marriott's customers are victims of Marriott's negligence.

I'd argue it has nothing to do with corporation or non-corporation. If someone is injured in a car accident due to an unfastened seatbelt, the driver is also potentially both a victim (assuming they weren't at fault for the accident) and guilty of negligence (for not making sure safety equipment was used properly).

This is what civil courts are for, there’s no need at all for a new law. A general frustration that’s pretty common in internet communities is how regulators and legislators deem it necessary to create so many new laws just for the internet. We expect that the 4th amendment should apply to our packets just as it does our mail, and houses, and persons. So I can’t help but see hypocrisy whenever I hear demands that companies should be financially or criminally punished after being a victim of a cyber crime. If there’s a legitimate tort, then you already have legal recourse.

More like, if a car is caught in a pile-up accident, it is both guilty of hitting the car ahead and victim of being hit by the next car. If he was pushed by the back car into the front car, and took all necessary precautions, he can call for a kind of force majeure and make the back car pay for both, but the agressor has to be formally identified. Mariott didn’t take enough precautions to pretend being victim of a hacker.

"Mariott didn’t take enough precautions to pretend being victim of a hacker."

Marriott was literally, prima facie, the victim of a hacker. The data didn't steal itself. Someone trespassed into Marriott's network and stole data that did not belong to them.

Legal culpability, while certainly not the strong point of HN, is a thing. Negligent, grossly negligent, and reckless conduct are technical terms that exist and have meaning.

I'm sick of replying to this because I don't like defending Marriott in this case. I hope they get a painful class action ruling. I think legal reforms around this are needed, but I am entirely unconvinced anyone here has a reasonable framework of regulations that would benefit anyone.

I was confused by this comment but I think what you're trying to criticize is this: "Mariott didn’t take enough precautions to pretend being victim of a hacker."

I agree with that criticism. It's not a crime to be a victim, but being a victim also doesn't mean you're not guilty.

Marriott might, however, still be liable for some damages due to not following common security practices for sensitive personal information. Anyone from California, for example, would have § 1798.81.5 [1] and § 1798.91.04 [2] which would backup their right to have their data handled properly. The FTC might also get involved with their fairly broad powers to protect users privacy (though that agency has been limited in this administration).

[1] http://leginfo.legislature.ca.gov/faces/codes_displaySection... [2] https://leginfo.legislature.ca.gov/faces/billCompareClient.x...

For the record I didn't think anything you wrote warranted a downvote and hope my response (though sincere, and I definitely disagree with you) didn't cause anyone else to downvote your comment. I don't think it varies much from much of the sentiment expressed in this discussion.

Two things can be true. A company or service (sole proprietorship/lifestyle project can be hacked just as easily as a massive C corp) can be liable for negligence. But I'm emphasizing that one should never lose sight of who perpetrates and benefits from the crime. That would be the actual criminals/intelligence services who steal (and perhaps sell) the data.

Realistically consumers will only be protected once these corporations start facing severe legal penalties whenever their negligence allows them to get hacked. Nobody is interested in letting the hackers off the hook, so your concern is misplaced. But you'll never protect consumers by focusing on the hackers, that just isn't practical.

> " benefits from the crime."

These corporations are benefiting from their negligence every day when they save money by being negligent with security and facing no real consequences for it.

Penalties are too reactive. Regulation would be more proactive.

A huge corporation will mostly see a fine as a cost of doing business. It won't work when you're looking at negligence, or security, because you can hedge all of your bets on never being found out, or otherwise only being found out so far in the future that the negligence has already paid for itself.

Regulating the storage of sensitive information, same as you have with HIPAA and GDPR, presents a much stronger case for being more careful up front. You're no longer talking about negligence: the expectation for how you handle sensitive info is made clear right from the start, and you can treat egregious violations (like storing passport numbers alongside other account details like a physical address without securing the system) as malicious.

Corporations are ultimately just people; a large group of people.

Think of what would happen if we punished the hell out of Marriot. Many of those people could lose their jobs and be unable to provide for their families, for something that didn’t really have much to do with them other than they chose to work at the wrong corporation.

This line of reasoning can be used to defend virtually any conduct from a business that employs many people, and that alone should disqualify it from discourse. But in this case the ideal punishment would be unlikely to result in any real damage to careers, just would incentivize Marriot and other hotels to avoid a repeat of this.

Most bankruptcies don’t result in liquidation, just total loss for shareholders and a haircut for creditors.

> Will they be penalized? Was Equifax ever penalized?

No. And no.

Marriot and Equifax may be big but they're not even close to being "near monopolies". Neither has even 50% market share.

I would substitute the word 'monopoly' with something like 'unavoidable' or 'compulsory' or 'inescapable'. They're not the only options or even the majority option, but for many of the people impacted by this breach it makes no difference. Many of them were forced into it.

I've never been asked which credit bureau I preferred to have my information given to or taken from. And while I have some say over which business hotel chain I stay at, ultimately it's up to my client or my employer to set the policy. If the rates at the Hilton are out of compliance with the company's willingness to spend, I'm staying at the Marriott.

Monopoly is the wrong word, but the sentiment of hopelessness is the same.

>Will they be penalized? Was Equifax ever penalized?

Above a certain wealth threshold, corporations and their CEOs are above the law.

Nothing was 'lost'. A misplaced laptop is lost; records from a database are accessed (or 'stolen', but I think that's problematic as well). The fact that the access was possible says nothing about the hackers and everything to do with Marriott's security approach and posture. Can we please stop letting companies hand-wave away these attacks and stop solely blaming hackers?

I've worked with hundreds of companies' security teams. While I've seen a select few companies do a really great job, most were either negligent, incompetent, or both. I'm sick of the blame for this being laid solely at the feet of the abstract "hackers", rather than the people who make these attacks utterly trivial.

(Posted from a throwaway because Marriott may or may not be a customer of mine. Ugh.)

Throughout my travels my passport number has been copied with an old school copier, entered into excel spreadsheets and held on to by various shops for collateral.

Not saying this isn’t a shitty hack, but I feel like the passport is the least secured document attached to me I have.

I thought you should never, ever give your passport to anyone, especially for collateral. Right?

Dunno, depending on your country they can be pretty easy to replace and they do tend to work quite well as collateral.

This entirely depends on your situation, for example I don't think there are many places where it'd be a huge deal for a white westerner to lose their passport.

Are you sure you're not conflating IDs with passports?

Though, yeah, in Germany at least it's quite easy to replace passports

I would've thought by now the security consultant industry would be really robust and large corporations like Marriott would be advised to handle low hanging fruit like "encrypt everything". Anyone know the current state of the industry?

Hopefully someone in the security industry can chime in, but from the outside, it looks like a gold rush is well underway. Unfortunately, the parties that are cashing in are large companies like McAfee that are offering essentially useless "hacker protection" plans. Then on the enterprise side, the big service providers are providing similar useless services.

Security is a complex issue that requires custom, expensive, and ongoing solutions. So companies run by non-security professionals are going to trust the relatively cheap programs offered by these large providers.

Nah, not really much of a gold rush. There is a lot of talk about how security is becoming extremely important, but when push comes to shove and companies have to spend significantly to secure their systems, or worse, slow down feature development to do so, they choose the easy route. And I can't blame them, given the financial incentives at play.

Take startups. Having a security breach won't kill your startup. Being slow to market will.

The ROI is not there, when there are significant costs to security, and no repercussions after getting hacked.

Without a solid ROI, it probably won't turn into a gold rush anytime soon.

I think the issue is a bit more fundamental: Security is an afterthought. There are no repercussions, or gain or expected real punishment for not providing a secure solution. These hacker protection plans are just to tick off a box and satisfy a regulation (government or internal).

On the other hand if we cared about security we would not rush to assign a long lasting hard to change number to a person, and share it around... (Or worse in the case of SSN (for the U.S.) pick a number that is neither randomly assigned nor equipped with a validation mechanism.)

  Anyone know the current state of the industry?
Large corporations are run by business majors who often have a disdain for computer science. Usually this leads to not hiring the top security experts (either through lack of knowledge or not wanting anyone smarter than themselves at the wheel).

I've personally seen this at a few jobs. It can go both ways as often CS-saavy startup founders are the same way towards business majors.

I worked for Marriott for a long time (on the tech side). They have no distain for computer science, it's not "run by business majors", and there is no shortage of security experts. They were one of the more on the ball technology and security operations _for a company of that age and size and legacy_. The company as a whole placed huge focus, resources and energy on information security from well before I joined - it was one of the most risk averse groups I've worked for.

The incident took place on the Starwood network (they bought starwood, a completely separate company with completely separate infrastructure), and this issue was discovered post acquisition and during the long running integration program (starwood had 2 breaches previously, so I guess it's not surprising). From what I've seen, if it wasn't for the controls implemented as part of the integration which formed part of Marriott's standard risk-averse approach to security generally, it probably wouldn't have been found for another 4 years.

It's complicated, and 99% of the "damn fool corporates and their evil ways!" comments are completely off the mark because they don't have the context.

The reality is that integrating another business is unbelievable difficult. Managing the (now significantly higher) infosec risks more so. You inherit a landscape with monsters you don't know about, and you still have to own whatever pops out. It's a really, really bad thing to have happened - make no mistake. And in time, the full story will out and opinions can be reached based on facts. Maybe they did screw it up. Maybe they could have done stuff differently. I don't think it's like equifax with a clear cut cause and effect, but a reasonably complicated ecosystem steeped in legacy systems opaque dependencies that is really hard to change.

It seems to be this generally accepted thing that whenever there is a huge breach, some people (aside from the person doing the breaching) have been utterly negligent, ignored all the obvious and really quite simple (I mean, just encryption all the things, amirite? duh!) and should be rounded up and shot at dawn. Perhaps - just perhaps - it's something that wasn't a result of negligence, and just wasn't foreseen because hard stuff is hard. Hindsight really does create the most impressive armchair strategists.

(no, I don't still work there. I left a few years ago. no, I don't think they're perfect. no, I don't think all corporations are evil incarnate looking to steal our data, only some of them.)

I think it's mostly the fact that the cost of data breaches is less than the savings (i.e. profit) from not implementing rigorous systems.

People don't seem to realize the financial planning aspect of deciding whether to do rigorous security or not. A major part of training materials for CISSP, which is really more of a security management certification than a technical one, is explicitly about doing a cost-benefit analysis of security implementation. See https://en.wikipedia.org/wiki/Annualized_loss_expectancy.

That said, there are fair number of common-sense low or zero cost safeguards any technical employees could implement to help mitigate threats.

> That said, there are fair number of common-sense low or zero cost safeguards any technical employees could implement to help mitigate threats.

The cost isn't in the safeguards. The cost is in the governance structures (i.e. time spent by mid-level managers) that ensure the safeguards are followed and applied consistently across the organization.

Encrypting database fields is basically free. Making sure all database fields that should be encrypted are is an expensive process.

FREE and OSS CMS' encrypt customer data now.. Don't know where this myth that it costs money to do basic encryption is coming from..

It's not only the cost to encrypt something. It's the cost to create security policies, hire people who know the field, implement protections beyond encrypting data at rest, updating old software to deal with the new security measures, etc. It's never as simple as "just encrypt that field".

Until there's a good reason to do so people aren't going to bother.

You're absolutely right! The basic software infrastructure that can be adapted to safely and securely handle user data is completely free.

It may be worth considering that adapting said FLOSS software, doing the requisite custom integration work, and then doing a large migration successfully might all be perhaps slightly less free than the software you correctly and wisely point to.

Large enterprises have extremely complex and interconnected systems.

The real costs and work is in the migration and adoption of new tools (regardless of the cost of the tools themselves).

The cost in this case would be in switching.

They're already using a system that works for them, why bother changing to something else?

Your comment reminds me of this https://www.youtube.com/watch?v=SiB8GVMNJkE

It's a little chilling, but I assumed the clip you linked was the one you did!

I believe it was in one of Henry Cloud's books on boundaries where I learned the idea that people roughly fit into three categories.

- they want to treat others well, and if you inform them of a boundary they've overstepped, they'll try to correct it

- they care about themselves within the framework of our society and laws, but are not keen on giving up anything for anyone else. If you want to enforce a boundary with them, you have to find a way to shift the consequences of their actions back onto them. Only if it hurts them, will they change their behavior

- they don't care about laws, society, decency, etc - you'll need guns and lawyers.

Right now it feels like many corporations are on a wide line between the second and third description above... what a sad realization!

I haven't seen any evidence of that. Those people respond to incentives and there are few current incentives to push companies to spend time on security, especially preemptively. Yes, there will be some public blowback if you're compromised, but that will blow over. Plus consumers are well aware that this is happening all the time to other companies, so it's become "normal" behavior now.

The fines for neglect of personal customer data need to be so high that the boards of these companies and their shareholders demand that their executives make security a priority.

HIPAA (https://compliancy-group.com/hipaa-fines-directory-year/) is a decent model and it does seem like security is taken more seriously in the healthcare industry in general. That being said, the actual fines are relatively low when you look at the size of some of these companies.

Anthem is one example: https://www.hhs.gov/about/news/2018/10/15/anthem-pays-ocr-16...

That was the largest HIPAA fine ever ($16 million) for a company that pulls in $90 BILLION in revenue each year and 79 million people had their information compromised in that event. That fine is basically a rounding error for them. Still, this outcome is better than what happens with most non-healthcare security compromises, which is basically nothing except "we're sorry, we take security seriously, and here is one year of credit monitoring."

HIPPA is mostly self attestation, so it's one of the weaker compliance requirements actually. But you are correct that at least there is some fine involved. GDPR will be interesting to follow also, and to see how high the fines will go in the future.

Disdain? What the hell? I know more than my fair share of MBAs and they're all fascinated by my job, far as I can tell...

The industry is robust, companies just refuse to spend money on security because the risks aren’t all that great to them and insurance policies are paid out regardless.

I'm ever so slightly optimistic in this regard. As soon as we see a few GDPR-related penalties assessed, the risk-reward calculation will change drastically.

According to their 2017 annual report [1], Marriot had $22.9bn in worldwide revenue. A 4% penalty on that would be $900M.

[1] https://marriott.gcs-web.com/static-files/057a8e1a-a5c5-4c20...

I read that there was some kind of grace period involving GDPR penalties. Has the EU handed out any fines yet, or is it still letting companies adjust?

Yes, the first case is done: https://www.welivesecurity.com/2018/11/27/german-chat-site-f...

The question is probably if it is state of the art to encrypt passport numbers. If yes, then Marriot could be fine with a similiar argument of "the company knowingly violated its duty to ensure data security".

> I read that there was some kind of grace period involving GDPR penalties.

the grace period started two years ago until may 2018...

people seem to forget that the GDPR was technically already a law in 2016, it was just not enforced.

I've seen employees demonstrating every day for months in front of the Marriott in San Francisco. Didn't think they were doing that good.

This is spot on. I was the Chief Information Security/Privacy Officer at an investment bank and had to _beg_ for a system to scan email and automatically encrypt if it detected PII.

Totally naive question, but how does this work? I have trouble seeing the extra security value.

Does "select passport from customers" no longer work as a query? Or do you store an encrypted value in the table that you then decrypt on demand? Is the decryption performed by a microservice that add an additional layer that would need to be hacked?

> Or do you store an encrypted value in the table that you then decrypt on demand? Is the decryption performed by a microservice that add an additional layer that would need to be hacked?

That is precisely one model. In fact, there are hardened "vault" appliances designed for exactly this class of use cases. All sensitive PII is 1) encrypted on the vault and 2) replaced externally with a random token. Most of the time, the rule is that the plaintext PII is never removed from the vault. E.g. to compare a value, a new one is sent to the vault to (idempotently) to retrieve a token.

Done right, this gives you other features/requirements such as the ability to rate limit and set alarms on vault accesses. E.g. if someone were trying to brute-force retrieve vault data via token retrieval.

It works pretty much as described. Now the hackers cant simply steal the db dump, they must also steal the decryption code and the key. This requires more work. The application servers are not the same as database servers, etc.

Ok so I know a thing or two about that:

1. Most companies, even large ones, do not encrypt everything. Some do, usually because they have to according to some regulation of the space they operate in (HIPAA for example).

2. Passport numbers are a grey area. Is it public information? Is it private information?

3. Even if you encrypt your database, the key will most often be lying next to it. Unless your company really cares about security, because they have to by design, they will most often not architect an infrastructure that protects the key.

4. The systems that use the encrypted data are themselves vulnerabilities; if the attacker can collect the data through systems that can decrypt the data for them, then they may not even know that the data was encrypted. Attacks on these kinds of databases are often through services and not by just taking the database wholesale. Thus encryption is not really a robust protection against theft, it only protects against theft via discarded media and the like.

Numbers are too easy to crack by enumeration. You can just enumerate all possible passport numbers, encrypt them, and compare two hashes. It takes seconds on modern CPU. Even if salt is used, all 5E6 records can be cracked in about 2 months on modern desktop, or in 1 day on 60 node cluster.

That’s if you own the encryption key. If you own the encryption key you can just decrypt

Good point as well. Sometimes a SQL injection will go right through this kind of Transparent Database Encryption.

Passport record and number of passport record are protected by Privacy Act[1].

(4) the term “record” means any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, his education, financial transactions, medical history, and criminal or employment history and that contains his name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph;

[1]: https://www.us-passport-service-guide.com/is-passport-inform...

This is a US answer only. Other countries might have different laws.

low hanging fruit like "encrypt everything"

...what? A database stops working as a database if you encrypt every field

If you encrypt at rest/in transit (which you should legally) then you're only protected against a very limited set of threats

Encryption is not going to save you if you have SQL injection or webserver breech

Encryption is good but protects against hardly anything, usually physical attacks, do not try and encrypt at the application level, password fields are encrypted because you should never need to query it

Passwords are the exception not the rule

I'm not a security export, so "encrypt everything" is simply a hand-wavy way to say "handle low hanging security holes". When you look at the cause of some of the large breaches in the past, many times they are very simple attack vectors and weak protections: phishing, passwords stored in plaintext, etc.

As engineers, we are awed when flaws like Rowhammer and Spectre are exposed, but the fact is that a lot more data is being exposed by very simple means. The fact that corporations are still being breached by these efforts is troubling. I think it shines a bad light on both corporate entities and security consultants.

At my workplace, all attributes in the database are encrypted. In fact, we are contractually obligated to do so. This does not limit the use of the database. Rather, it changes how we use the database. i.e. We decrypt, store working sets in memory, re-encrypt prior to storing in the database.

That's impractical for the vast majority of use cases. The performance costs would be enormous, turning millisecond response times into seconds in many cases.

For existing database design for many, sure. This requires rethinking how you access your data and changing the architecture and data flows accordingly. I am not in any way suggesting it would be trivial for existing applications to suddenly do this. It requires forethought.

They store unencrypted data in memory instead of hard drive. From security perspective: nothing changed, so their access times may be even faster than with traditional approach.

Actually it means that you must be able to access memory when the server is running. Still possible, but much more difficult and requires gaining root on the server while it is running and has decrypted the data, or finding some RCE that allows direct access to this memory. We have numerous pen testers and code reviewers that look for and test for such things all the time. This also means evading various monitoring tools that security and network operations centers are watching. Again, still possible, but much more difficult.

This also means, disks walking away are always encrypted. We physically shred all of our disks, but humans can make mistakes.

You're assuming that all your unencrypted data fits in memory. For most of us, that's not the case.

>password fields are encrypted

If you are encrypting your passwords you are already doing it wrong.

I hope by "password fields are encrypted" you mean that only hashes are stored.

I think this blog post from Brian Krebs captures the problem pretty well: https://krebsonsecurity.com/2018/12/a-chief-security-concern...

There's a lack of attention at the executive and organization levels in these major corporations, so they're not set up to deal with security threats in a forward looking way.

Unfortunately in the hotel and timeshare industry (large overlap) IT is not a central concern it is an expense and often treated as one. Meaning large portions of the system development is outsourced to dev shops out of the country or teams are brought in from India etc. This is not a slight on those engineers as they are often highly skilled. The issue is that they are working off of requirements produced by senior management level people who are very lacking in knowing the low level details. The engineers also don't have the background on what is a surprisingly complicated process and things get lost. These engineering teams were brought in to save money and as such corners are often cut everywhere especially security. The engineers are also often not in a position to push back as they are contractors from poorer nations and rely on these salaries to a far greater degree than a US citizen might.

I personally find that people in product, sales, upper management, etc... want to push for features, things being easy/fast, etc over everything else.

They tell developers to "not worry about it" and force deadlines on them that don't allow for doing things right.

Why would it be? There is almost no risk to ignoring security issues, and the risk only decreases the more this happens to other companies because consumers start seeing it as normal behavior that affects all companies they do business with.

I'm almost certain Marriott has security people telling the higher-ups that they need to do X to protect security, but if other companies are not subjected to that same risk, revenue growth is always going to win over security.

This will never change until governments start holding these companies liable with severe penalties that are not simply "the cost of doing business."

The sheer volume of folks in that industry who have borderline ZERO clue is shocking. It really is an amazing mix of absolutely empty suits and good people.

Companies seem to have no idea who is who.

Absolutely I have seen a major hotel chain totally (no names no pack drill) mess up a site migration - had to revert and do it again after a co worker and I had laid out what they should have done in the first place.

I worked with one when I was an outside vendor.

90% of their IT staff's time was calling up their vendors support teams and convincing them to join a conference call together and then telling vendors from different companies to just make it work, whatever it was. They thought that was just how you did things.

Eventually we told them "naw we're not doing that anymore stop eating our support team's time". They threatened to move on to another vendor and tried... but couldn't actually pull it off because... they simply didn't have the manpower or technical knowledge.

The costs of hacks are still largely external, while the costs of avoiding such hacks are high and internal.

Its likely that all major enterprises are waiting for Oracle to come up with data -at-rest-encryption and then they will likely follow along.

TDE has existed for a while, and is certainly not fixing these things for us InfoSec folks. https://www.oracle.com/technetwork/database/security/tde-faq...

There are a LOT of companies that can't run that, since it requires Enterprise Edition of Oracle.. That is a huge jump in price over standard edition, even for most larger companies.

I don't see how encryption at rest helps with an online attack.

Once the file system is mounted the filesystem is unlocked. This is way things like LUKS which has bee around forever work today.

Why do they even have that many passport numbers saved in any format? I get what a spy organization could do with that information. What does a hotel organization do with it?

>I get what a spy organization could do with that information. What does a hotel organization do with it?...

Give it to the spy organization.

Not being snarky. That was meant as a serious comment. Maybe there is some kind of requirement to inform the appropriate organizations of the passport numbers of any foreigners in your hotel?

At least within the EU, it is required that hotels record the passport numbers of people who stay with them for potential future law enforcement use. Most countries just require the data be kept on file at the hotel, but a few regularly collect it in some kind of central database.

And, especially with a big chain, I assume that any information they collect (especially if they're required to collect it) gets put in a centralized database rather than depending on a paper copy being properly filed in a file cabinet someplace.

Somewhat OT but I was in Europe last month on a business trip. There's a knock on the door one evening. Imagine my surprise in discovering it's someone from the hotel who has come up with a few edible goodies for my birthday. On the one hand, it was a nice gesture. On the other, I was a bit taken aback. Where did they get that info?

I didn't really want to ask but a friend of mine later reminded me that they probably got it off my passport. I suppose this might have just been an informal process at this particular hotel. But I wouldn't be shocked to learn it was put in the chain's database.

All big chains will definitely keep track of your birthday if you're a member of their rewards program.

Do you have to provide it or do they get it from some other source? I'm pretty sure that I don't routinely give my birthday when I enroll in rewards programs.

Are you sure? I thought they would at least need a birthday to check on your age. They can't very well offer a contract to a minor.

Yes. I'm sure I can go online and make a hotel reservation in 5 minutes without providing my age or birthday. Now, I will usually have to provide a credit card number which typically would indicate I'm old enough to stay at a hotel. Although as noted elsewhere prepaid credit cards may be a work around. They may not let me check in if I show up and don't have an ID or my ID says I'm 14. But making the reservation would be straightforward.

It's a bit creepy but I'd assume they get it from your ID when you check in.

How does GDPR play into the requirement to store passport numbers?

If there’s a legal requirement to store passport numbers you can store them. It’s one of the cases where you don’t need consent. You still have to store them in a safe fashion and the customer still retains most of the rights under GDPR (information about what you store and for which purpose, etc.)

It plays. The way these hotels are doing this maybe probably isn't GDPR compliant, but the same applies to vast amounts of other things.

Hard to share any very useful insights on this, it's just the state of most things.

Can GDPR be used as an audit mechanism for breached passport numbers? And if so, what would that process look like? Can hotels be fined if they’re found to not be GDPR compliant?

>Can GDPR be used as an audit mechanism for breached passport numbers? And if so, what would that process look like?

I'm not quite sure what you mean, but the answer is probably no.

>Can hotels be fined if they’re found to not be GDPR compliant?

Sure, but is anyone GDPR compliant yet? I'd imagine that all the DPAs in EU are extremely busy right now.

I don’t believe that’s a requirement in the UK or Finland (though my last hotel stays in each was via Booking.com and I guess it’s possible that was sent automatically from Booking.com records, I can’t remember what they asked me for when I signed up)

The main reason it's required in the EU is because it's so easy to cross land borders without leaving a trace.

In the UK, there's no need because it's an island, so passports can be more easily screened at the borders.

That implies it’s a Schengen Area rule?

This thread is full of the usual HN Europe-speculation. My speculation is that this isn't something the EU has legislated on, so it varies between countries.

In the UK, "The Immigration (Hotel Records) Order 1972" says:

> 4.—(1) Every person of or over the age of 16 years who stays at any premises to which this Order applies shall, on arriving at the premises, inform the keeper of the premises of his full name and nationality.

> (2) Every such person who is an alien shall also—

> (a)on arriving at the premises, inform the keeper of the premises of the number and place of issue of his passport, certificate of registration or other document establishing his identity and nationality; and

Thanks; that certainly explains why I’ve never noticed the passport requirement in UK hotels — being British.

> Maybe there is some kind of requirement to inform the appropriate organizations of the passport numbers of any foreigners in your hotel?

Some countries (China and Russia spring to mind) require you to register your lodgings with the police, which the hotel do for you. It seems standard practice to hand over your passport at international hotels.

Israel sometimes has more nefarious reasons than tracking where foreign citizens are


A Serious Organised Crime Agency investigation into the misuse of UK passports in the murder of Mahmud al-Mabhuh in Dubai in January 2010 found circumstantial evidence of Israeli involvement in the fraudulent use of British passports. This has raised the possibility that your passport details could be captured for improper uses while your passport is out of your control. The risk applies in particular to passports without biometric security features. Only hand your passport over to others (including Israeli officials) when absolutely necessary.

I mean, most places I've stayed at take a photocopy of the passport, it's kept in case of any police enquiries.

> Maybe there is some kind of requirement to inform the appropriate organizations of the passport numbers of any foreigners in your hotel?

This is the case in most countries I've traveled to.

Passport numbers are the easiest and perhaps the only way for these hotels to uniquely identify and track their customers. A ton of jurisdictions also require hotels to store these.

So which hotels limit their storage to the legal requirements?

Do not stay in any hotels if you do not want your personal information collected and shared with various third parties.

Airbnb and similar tend to be vastly friendlier to privacy-conscious travelers, usually collecting less than legally required (they also do a very bad job of verifying what they do collect).

Well, with Airbnb, you're presumably registered on the site and have a credit card on file which is how you pay. In general (at least in the US), lower-end independent motels and the like will often be less rigorous about checking ID and will probably let you pay cash.

You can acquire a relatively anonymous prepaid card and use that to pay airbnb. Also, at least the last time I tried their ID verification thing didn't care about the name on the ID so you could just use any random ID from wikileaks to verify your account.

Yeah, in the US the hotel situation tends to be significantly better than in the EU.

Good point about prepaid cards. Like anything of this nature, a lot depends on who you're hiding from and why. It's one thing to thwart generic big corporation knowing where you've been and what you've bought. It's another to be hiding from someone who has some degree of access to your computer and financial accounts. It's still another to be actively hiding from individuals or entities with varying degrees of law enforcement authority and varying degrees of interest in tracking you down.

Privacy.com offers an easy way to spin up virtual cards. Keep in mind your bank (and cc processor, and/or the merchant) probably sells your transaction history, etc. to Google and other big data perverts.

These days European ones hopefully follow the GDPR at least.

> What does a hotel organization do with it?

It's a requirement for hotels to have passport numbers in many jurisdictions. Have you never used a hotel before?

If you are in-country you can use an in-country ID instead--drivers license number most often.

I've never had a hotel ask for my passport when traveling in the US as an American for example. I'm sure they would take it if I offered, but my drivers license is considered sufficient.

Yes I have used a hotel before.

It's a government requirement in many jurisdictions, including much of Asia and the EU.

Note that in the EU, at least, the data is not sent to the government authorities, but it must be available to them.

So do those jurisdictions provide passports for free (or very low cost) and/or make them easy to acquire?

In the US to get a passport isn't an arduous process, but it isn't easy nor cheap; when I got mine done (full thing - card and actual passport), I had to first get a passport photo taken and paid for (walgreens), then go to a local courthouse during a weekday (which I had to take off the time for), then pay a bunch of money (oh - and I had to give them my birth certificate and some other ID - which I got back when I received my passport weeks later) - then wait.

I think there were fingerprints involved too...

Anyhow - it wasn't an easy or cheap process, but I can understand why they make it that way. But for most people in the US, unless they travel internationally, they never obtain a passport, because of this process. It is only set up for people who can afford it (both in time and money).

So - if it is a requirement in other areas of the world, then receiving or obtaining a passport would have to be made easier for those who couldn't afford the time or money; time could be made by legislation making employers provide time for doing such a thing, and/or keeping courts or wherever to process the applications open on weekends or have later hours or something.

Of course - we are talking about "non-US" places, which seem to have far saner social policies under which this would fall...

Don't know about other EU countries but here everyone older than 15 years is required to have a passport or id card by law. The fee is ~1/4 of what it costs in US. You don't need to make a photo before as it can be taken during application. If you don't want to wait in queue it is possible to make an appointment by phone.

There's a lot of confused comments on this thread.

In my experience, hotels only need a passport or similar identification for non-citizens or non-residents — both would usually have a passport or equivalent to be in a foreign country.

(But to answer your question, for a first adult British passport one needs a digital photo, birth certificate, and a parent's passport number. Everything is done online[1].)

[1] https://www.gov.uk/apply-first-adult-passport

At least in the EU/EEA, most countries have national ID cards, and you can travel with those instead.

not defending, but plausible reasons:

form of identity.

concierge service to lookup status/book travel for guests.

Is anyone surprised that assigning numbers to people to identify them seems to backfire every time it's tried?

The government should issue a public/private key to every citizen/resident and provide a verification service that companies can use to verify a citizen's identity without the citizen having to hand over any secret information.

They could even optionally store one or more profiles that you could use for streamlining your interactions with various private industries: financial services, health care, employment, shopping, and travel could all have separate datasets about you stored for convenience.

Then when you want to do business with a company, you grant them access to the appropriate profile. When you conclude your business, you revoke access.

The same would be great for phone and email networks. Basically instead of giving someone your contact info, you give them a voucher to contact you. They call or email to the service and include the voucher (all automated) and the service either forwards it along or ignores it based on whether the voucher is valid. And you can invalidate any voucher at any time for any reason.

For people that like things simple, they could use a single voucher for everything, but for people who want more control they could do separate vouchers for everyone, or some easier middle-ground like family, friends, professional, commercial, and misc.

Yeah until the government database gets compromised and all the private keys get leaked.

This isn't how asymmetric encryption works - government would store public keys, users would manage their own private keys +/- passphrases. If there was a breach at central storage, the only thing that could possibly be taken would be the public keys which by definition are useless for anything other than verifying a signed message or encrypting a message to the holder of the private key.

You're right, my mistake!

They couldn't be leaked, they would be in the hands of the people. The government only needs a public key.

Then when the user inevitable loses their private key? Not everyone is tech savvy enough.

Then use an annoying lengthy in person procedure to issue a new one.

Make issuance and re-issuing of the key contingent on DNA verification.

... so the government has a copy of your DNA on file? What about when that database gets compromised?

That would be some pretty impressive skills to fake DNA.

I was referring more to the privacy implications of having the government have your DNA on file.

Faking DNA; well for that it would depend on how the test was administered. A cheek swab would be reasonably easy to fool, a blood draw less so if administered carefully. This is all assuming no corruption or anything; DNA tests contain no cryptographically attestable proof of match.

Any who knows, with DNA based therapies you might find yourself unable to pass a DNA test for yourself in the future.

That doesn't sound any worse than losing your social security number.

SSNs are identifiers and not intended to be private. The only reason anyone cares about SSNs is that some private businesses were negligent in their authentication procedures and have tried to shift the blame to the victims.

In contrast, if you have public-key encryption people are going to build systems on the assumption that your private key is only available to you despite several decades of history showing that's not a safe assumption.

Your SSN you can memorize. A 2048 bit+ private key is gonna be a lot harder

You go in person and give a new public key and cryptographically sign the governments message with it

In person the government will have their own redundant and convoluted process to verify you before giving you a message to sign, just like today to reissue a SSN

That’s not a problem so long as the number is a non-secret identity rather than a secret used to verify identity. A social security number (or any such personal identification number in any country) is only an identifier and not secret. It’s like an email address, not like a password.

A leak of lots of non-secret data (eg email addresses) is an integrity problem not a security problem. A leak of passwords or other secret data is s security issue.

There is no problem with assigning people a number. the problem is that people start using that number as Verification, not as an identifier.

People treat your SSN as a password, when really, it just uniquely identifies you. Its basically an Email Address, not a password.

> it just uniquely identifies you

not even. you need other data points, like DOB, to build enough uniqueness, and there are still many stories of collisions.

it just uniquely identifies you

Try working face-to-face in communities of recent, poor immigrants where five, six, even ten people using the same (likely purchased) SSN is not unusual. I've seen entire families using the same SSN.

Don’t use any service that considers SSN a verification.

Functionally useless advice if you ever have to deal with mobile networks, internet service providers, financial institutions, utilities' providers, any government, schools, universities, and the list goes on.

Those services take the SSN as proof of identity and not just identity?

Wouldn’t most people’s SSN’s be leaked already so using SSN rather than proper ID isn’t much better than nothing?

Yes, when you call customer service you’re usually asked to provide your SSN to verify you are who you are.

Some are finally requiring a PIN or passcode, but very few in my experience.

Providing you SSN identifies you no better than your email address or postal address. It’s not a secret number. There may be a provider that has a 2FA. It should be a cheap way for them to get more business.

There is no other way to establish identity beyond a limited social circle besides a unique address or number.

That's ... incredibly interesting. I can't figure out a counterpoint to this. You are correct, 'identity' is not all that easy to verify outside of a small group. I think there are larger implications about human nature here than just trying to o-auth a user.


Numbers have to be assigned in order to break the symmetry. Otherwise how would you tell humans apart?

Right, but it's like using a private key as an identifier. As soon as it's compromised you need to get a whole new ID.

I'd rather see something like Bitcoin's HD wallets used for identification - your private keys are on a hardware device, but you can generate new "personal identifiers" for use with public services that, if compromised, could be burned through a central registry without requiring a replacement of the private keys.

The only real problem with most of these "identity theft" problems are that lenders are not punished/fined when they lie to credit bureaus and say you borrowed some money instead of someone who has impersonated you. Prevent the banks/loan makers from libeling you and this information leaking is not that much of a big deal. Banks might not like it, but the populous would definitely support it.

To further your suggestion, start referring to "identity theft" as fraud. Banks/loan makers don't just libel you, they further the initial crime and commit fraud every time they transfer/sell/bundle the fraudulent debt.

There needs to be a specific phrase to replace the phrase "identity theft". I think the phrase "bank libel" could work as it is not a phrase currently used very often. Unfortunately "bank fraud" is a common occurrence, so not a great name for this specific type of bank fraud.

Well, the above solution would actually allow you to connect the stolen number to the specific organization you supplied it to. That would help with accountability quite a bit!

This is a great idea! It solves a lot of problems up front - it allows for multiple, verifiable, identity slices and separate revocations of each.

That said, you may also want to consider that a system design may want to have the ability to re-issue private keys. It's wise to assume that hardware dongles may, in the fullness of time, prove attackable. Certainly many Bitcoin wallets have.

It might be necessary to issue new dongles every once in a while, but it wouldn't be unreasonable to have a user fee for doing so. Certainly people have to pay to renew driver's licenses and such already.

You may wish to consider stepping carefully with this one. It's reasonable to charge for driver's licenses and passports because those are privileges.

It would be unreasonable to charge people a fee for a basic requirement of being enabled to be verifiable by their government. Especially if the system you're imagining is to be used for things like identification to establish voter eligibility.

Why is it unreasonable? You could exempt anyone below a certain income level from paying the fee - it's no different than any other kind of tax.

It's a de facto poll tax. You may wish to research the history of such, it's both fascinating and horrifying.

Your idea of using income levels is an interesting and intriguing one. Thank you for bringing it forth for discussion! However, have you considered that it may pose some complications, such as how one can document and prove income without a way to prove identity in a system where every such document is tied to identity? Might it not be easier to skip that administrative overhead entirely?

This is good, but it'll take a while to catch on.

I can well imagine everyone receiving a hardware key generator for personal identification purposes. Some id cards already have something similar and it shouldn't be all too expensive.

Assuming a fair bidding process...

Coarsely, the reason for the need to tell humans apart is to assign debts.

Huh? What about my Safeway card that tracks my shopping habits? Or my phone number that allows anyone in the world to contact me? Or my address that identifies a physical location to send me things. Or membership numbers in clubs? Or the example from TFA: passports.

How would any of those be feasible with coarse mapping of ID to human?

Why do you need an externally defined unique ID?

If I tell you that i am Spooky23, 123 Main St, anytown, AK, spooky23@example.com, what more uniqueness do you need?

Hoarding passport numbers, drivers licenses, ssn, etc usually doesn’t serve a legitimate purpose. When it is required to meet compliance or other requirements (say an payroll processor who needs an SSN to withhold taxes), it needs to be protected and have access controls.

Marriott does not have any need to authoritatively know who I am beyond payment arrangements. I'm not borrowing money from Marriott, so they don't need my SSN. They may need my passport when I check into an international hotel to meet compliance requirements, but they don't need to store it in a reservation system, and don't need to store it beyond the international jurisdiction where I checked in.

Marriott probably keeps the passport numbers to identify people in their hotel chain management systems, because they are an international company with hotels (and other similar properties) worldwide.

Name, address, and email probably isn't fine-grained enough, as multiple people can all share the same information - and name isn't enough because some people name all their kids the same, sometimes the same as the parents (yes, it is crazy insane, perhaps narcissistic - but people). Then there are those who do similar things for fraudulent reasons.

In theory (I'm sure there are ways around it) no two people should have the same passport and passport ID number. Now, not everyone has a passport, but if they do, and they are travelling internationally, Marriott likely would rather have that information, so they can track you as you use their services in multiple places around the world (and offer you various amenities, upgrades, advertising, etc of course)...

That would be my guess.

Presumably a combination of name and email address is enough for "marketing" purposes for Marriott.

Less nefariously*, I did a bit of digging and in the UK, hotels are required to record an ID for aliens (ironically, there is no central ID system in the UK, which I assume is why it's for aliens only). If the liability is on the hotel in case of incorrect information, it makes sense they would require the most common form of internationally recognized ID (a passport).Italy has a similar system introduced in the 30's by the fascist govt at the time for keeping track of who was where when. If I were an international business,it would make sense to me to comply with the regulations everywhere rather than try selectively enforce it.

(Nefarious-ness of Marriott. Not necessarily a comment on trusting the people who came up with the law in the first place)

Spooky23 seems to be implicitly relying on uniqueness that is leveraged by the underlying message routing system. With the case of "123 Main St, anytown, AK" there is an implicit assumption that no one else lives at that address. With the case of "spooky23@example.com" there is an implicit assumption that the mailbox is not shared.

Hoarding numbers serves the very purpose of ensuring a unique assignment. For instance, if "the" department of transportation did not have a "global" database, then it would risk minting the same number twice. That having been said, it is true that knowledge of a "master" identity is not a requirement for making payment arrangements.

What’s the anticipated trust level?

For most commerce, I need to be able to tell that you are the same “Spooky23” who was here last time.

If you need to positively and authoritatively identify me, collecting numbers is not sufficient. End of the day, these companies are either overcollecting for convenience or doing a poor job of collecting information for compliance purposes.

> End of the day, these companies are either overcollecting for convenience or doing a poor job of collecting information for compliance purposes.

Or both. Overxollecting makes sense at a global level (all systems the same everywhere), but even if they only collect what they need they're clearly not treating it correctly

My response was to the idea that unique identifiers are only useful for debt collection.

In response to your moved goalposts: how is storing the passport ID different from storing the address or email? Are all three not "externally defined unique IDs"?

I'd rather hotels had my passport number than most home address.

Many countries legally require hotels to record guest passports.

These examples say more about the sad state of the world we live in than the feasibility of the use cases.

I didn't say these things were impossible, just that they are about collecting debts, so I've tried to respond below by showing how they allow parties to collect debts.

- Personalized tracking for marketing and advertising use cases is about changing subject behaviors, so that they spend their time and energy on things that other people want them to spend it on. Grocery store "loyalty" cards are one of many examples of how we cede agency -- in this case, allowing a corporation to assign a debt in the form of coupons that predispose us to buy a particular item. Does the 49 cents off the chocolate treats make the 30g of sugar more healthy? This is textbook predatory behavior.

- Phone numbers are a thing because we rely on centralized communications where the phone number is associated with an account billed monthly for collecting a usage debt. However, with technologies like torrents and WebRTC this is changing. In the future, maybe you provide each of your friends and family with a unique signature that allows them to look you up on the net?

If I could give up my phone number, it would certainly cut down on all of the robocalls and spam I get every day. This isn't novel or weird: many people already hand out email addresses of the form name+safeway@place.com to bucket spam.

- A physical address is a weird example because it identifies a physical location, not a person. I am not my home address; I just sleep there sometimes. Sometimes, I'm sleeping somewhere else.

- Club membership? That's easy - if you're paying for membership, then they need an account id to collect the debt for your membership. If you're not paying for membership, they don't need an ID. There are lots of clubs or meetups that don't require IDs -- the evening tech meetups/bar crawls around Seattle, for example.

- Passports, Customs, and Borders exist as a mechanism for the state to collect taxes on goods crossing international borders. Not the only mechanism, just one of them. Governments are currently struggling with goods and services crossing international borders digitally bypassing these checkpoints. I'm not sure, though, why you think passports are a humane thing -- we put tags on livestock.

Would you be fine having your medical history mixed with someone else with the same name?

Yes, I would even be willing to pay a small fee for this.

(not the op)

(op here) The premise of the grandparent is an illusion that depends on the idea that somehow a medical provider (which one?) is a better caretaker for your medical history than you are. In the cases where that is actually true, power of attorney is the real solution -- not EMR records hosted offsite by 3rd party vendors in 3rd world countries on behalf of one or more hospitals. How absurd.

My medical history is mine; it's ultimately not yours. If you need my medical history, allow me to give you limited access to it.

Now, if your billing is opaque and you're playing shenanigans with the insurance companies about who owes what, then sure, you need my Passport, SSN, DNA, Real ID, and biometrics -- and you should probably hold my medical history hostage too -- to make sure that you can collect on the debt.

Capitalism is involved for sure, but "debt" seems harsh. How about "resource allocation"?

What alternative would you propose?

The Chinese 居民身份证 works well for its intended purposes and has not back fired.

thats 'Resident Identity Card' for anyone who doesn't want to google it.

> has not back fired

Unless they ended the program, you forgot the word "yet"

Yet. That we know of.

Note that encryption at rest isn't a panacea. Since every system that accesses the data needs to have the decryption key, if the hacker is getting the data by hacking one of those systems, then the encryption at rest has achieved nothing.

> then the encryption at rest has achieved nothing

That's a bit of an overreaction. It has at least guaranteed that the intruder has active keys on a relevant system that can access the data. It ups the ante with reasonable/minimal cost.

Encryption at rest is a defense-in-depth approach allowing you to be sure that e.g. some random stolen backup image (perhaps of a 3rd party system) doesn't expose your etc/shadow or user tables for subsequent rainbow-table attacks.

This is so short sighted I can't believe you are serious and not trolling. Every precaution has its limitations but why give the attackers a free meal? Encrypted data protects from simple theft or loss of the device so a common thief won't leak the data.

You seem to be arguing against something I never implied. I said it's not a panacea. Do you disagree?

You implied that encryption is optional whereas this shouldn't even be a discussion.

Not a panacea, but always required. All disks eventually are thrown out. It doesn't prevent all attacks, but it's the only way to prevent a very common class of attack.

Reminds me of this story where a company went bankrupt and all the old servers were sold to the public but weren't securely erased beforehand:


Yes, it's generally a good idea, even if it won't protect against most breaches.

There are also certain types of encryption at rest where it buys you absolutely nothing though, e.g. using AWS' builtin encryption at rest for S3. No one is going to break into the AWS datacenter and steal the data from the physical disks.

AWS decommissions hardware like anyone else. While I'm sure their processes include a secure-delete, no process is perfect and things are missed. It's worth setting the flag, especially since it's free.

Why does Marriott have passport numbers to begin with?

This really comes down to companies simply collecting way too much information. Consumers need to push back against this type of data collection. Only give information which is clearly required for their business and nothing more. Also the companies should only retain that information for long enough to conduct their business.

A lot of countries require hotels to collect information that proves that the guest is there legally.

In my country hotels are even required to make a photocopy of the passport/id when a Traveller checks in. Having your id being public is not more of a security issue than your name being public.

This is really the nub of the issue.

I love that when I’m traveling for business everything is arranged for me, but I hate that I get put in situations where I’m booked into big hotels with policies like this.

Increasingly it seems like there should be some kind of regulation that (with exceptions) if a good or service costs money, you should be able to buy it in exchange for money, and refuse to provide personal information even if requested.

It's often required by the government where the hotel is located.

Needs to be substantial penalties for these transgressions or it's just another "cost of doing business".

A lot of these are likely to have been from EU residents, so there certainly could be some very large fines coming their way, courtesy of the GDPR.

Wow, I didn’t think about that - it applies to EU citizens even when not in the EU. And for a few types of business you have to have physical presence where you operate (hotels is one) so the EU can always force Marriott to pay up or extort the money from their business in the EU.

Curious question. How they could encrypt this information when managers at help desks in the hotels need that information, say, for verification? Isn't it steal password from temporary worker will be super easy anyway?

You can decrypt the encrypted info, which is what you want to do with PII at rest, which I'm assuming is where the data was taken.

Why is having a person's passport number a security issue in the first place? What could a malicious person do if they have your passport number?

Unfortunately passport number is considered semi-secret to the point where you can retrieve very personal information with it or with a tiny amount of extra info such as last name + passport number. Passport numbers are also permanent, until replaced.

Or to put simply: Passport numbers make identify theft easier.

Uh, was in China more the once so I think if they are responsible it is not something they do not have ;)

I think I have become numb to this stuff. I just assume it’s all out there and thus keep an eye on my credit reports, et.al.

I am more pissed about the basic level of OPsec I see at these companies. I am even more worried about the same thing at our Defence contractors and related companies.

It seems law and regulation are going to have to clearly define and constrain what these organizations are allowed to collect and what they are not allowed to collect -- or, rather, that everything else is off-limits.

Guests need to be offered the question of whether they care to share X data, and guaranteed that a "no" answer will not affect their ability to do business and receive services in the slightest -- nor the price they receive.

Many people scream bloody murder WRT regulation. However, here we have a clear and repeated industry failure -- one with significant knock-on costs and risks.

So, tough. You failed.

I could also cough up a protest on my part against the whole misleading notion of "self-regulation". And point out that in an era of increasing consolidation into brands under very few and very large holding companies, effective competition -- including and with respect to data and security practices -- is largely absent.

P.S. Where data collection is required, standards and aggressive auditing should be funded and enforced.

People in the U.S. generally seem to have no problem with FDA regulation and inspection of meat production. (Not realizing how industry political initiatives continue to stress and periodically threaten this, e.g. inspection budgets.)

Well, it seems we're to the point of needing and FDA for data, or something like.

I say this with trepidation. And any initiative should come with a healthy dose of "audit the auditor", to keep requirements and process transparency to a maximum and minimize the governments' own carve-outs and attempts to siphon off the data whose processing are under inspection.

Back to my accounting days. How do you prevent mistakes, error, and fraud? Well, orthogonal processes with robust cross-checks certainly help.

The only reason the hotels are collecting passport numbers in the first place is because of regulations requiring them to.

It also helps verify against people causing damage to the hotel. Business where the transaction is not a simple "seller provides item - buyer pays seller" have different risks involved, and therefore need to additional measures to protect against them.

Requiring credit cards, government issued photo ID, age over 21 are all methods of preventing guests who trash rooms, sneak in pets and cause noise disturbances, underage partiers, pimps and hookers, drug dealers, excessively dirty and causing pest problems etc from messing up the business. Same with car rentals and flights. Some people are problematic, and it affects other customers, and you need a way to mitigate the problem.

In the US, almost all local ordinances require hotel operators to keep track of who is staying in which room for a year or so (some even require photocopying, although that's not always followed), and to hand over that info to police whenever they demand it.

With regards to EU law, hotels are required to keep the passport numbers of foreign national guests on file.

Until someone is held responsible, big corporations would not care about customer's data. It probably cheaper to give everyone a year of credit monitor (which not everyone used) than implement security to protect customer's data.

This data breach is reporting every week, yet nothing is being done.

Any data we turn over to companies should be treated as compromised. There should be a way to issue new SSNs. Things that can’t be changed like birthdays, addresses, and last names shouldn’t be stored by companies without very good reason.

If you’re doing a new startup, and have aggressive timelines, what security measures would you implement to protect PII from day 1? I’m an experienced dev but not a security expert.

Two factor authentication for all developer accounts, require TLS 1.2 to access the website and add HSTS, have some system for ensuring all SQL queries are sanitized, use bcrypt or scrypt with recommended settings to hash user passwords, add a content-security policy, enable secure and same-site attributes for cookies, as well as http-only, and add a double-submit csrf token. That should cover the basics to start with, in rough order of priority, assuming you're building a web app.

Also, in general, be conservative about what PII you collect; hackers can't steal information you don't have.

I'd suggest hiring an expert, assuming the startup is funded

They will be punished in European Union where they have business presence. They had EU passports there. Under GDPR negligence is punishable.

UK ICO hopefully will intervene in few months.

In USA remedy actiona are class action lawsuit driven and corporations do not have incentive to change their behaviour.

I logged into Marriott to change my password... and I couldn't. Their web page responsible for changing password times out. What kind of POS system is that?

Seems like you've been out of the loop. They've been experiencing massive computer problems since August.


Companies should not be allowed to have such sensitive data or the punishment should be severe - I mean the entire board should look at doing time. Currently as the law is, the rich can just laugh and carry on.

What can malicious people do with my passport number?

Create a fake passport to travel under your name and commit crimes. Try not to be surprised when you discover an arrest warrant in your name for sex trafficking in Belarus.

Not that one wants this sort of information to be leaked of course, but it's hard to see information that is routinely copied by hotel desk clerks and which is written down on countless forms is deeply sensitive information that will cause dire outcomes if it gets out.

You mean like your bank account number, which is constantly typed into online forms of all sorts of websites. Or your credit card number, which you probably say verbally into the phone to pay your bills?

Truth is, lots of extremely sensitive data exists in insecure states all the time.

For that matter, your bank account number goes on pieces of paper called checks that many of us give to individuals and companies all the time to pay bills.

So, yes, I draw a distinction between numbers that we hand out willy-nilly and truly sensitive information. There's a big difference between my checking account number and my health records.

>Create a fake passport to travel under your name and commit crimes. Try not to be surprised when you discover an arrest warrant in your name for sex trafficking in Belarus

This would only require a name, not a passport number. A passport number would simply be of no use here, there doesn't exist any¹ automated mechanism for Belarus to verify foreign passport numbers.

¹Well OK, with biometric passports it is possible to cryptographically verify some data.

Not really. Most passports contain NFC chips now. There's an NFC app for Android that can extract all your passport details from a UK passport, including your photo, and it's all digitally signed by the passport office.

Those exist but are rarely read except at the gates specifically for biometric passports. Nobody will question you for having a passport with a broken chip.

At least right now the NFC chips simply have no effect on passport forgeries.

You definitely can't create a passport just from a name and passport number.

Almost certainly nothing at all.

They're currently admitting to losing passport #s, but what else - like credit card info which they aren't supposed to keep in any case - might have been compromised?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact