The cost to them so far is some bad PR which will probably blow over. Especially for companies like Marriott and Equifax which have near monopolies (Marriott owns several smaller chains like Starwood and Ritz Carlton), this probably won't affect their customer loyalty. Particularly when it's safe to assume that the other chains are probably not doing a better job.
Marriott currently has no incentive to spend money to do a good security audit.
They had incentive to do their recent migration of loyalty programs, since Starwood's program was notably generous.
No and no.
Our Federal government is beholden to special interests, so no real legislation or regulation addressing this issue will ever occur. If Equifax (a brace of our economy) didn't receive the death penalty for what they were responsible for, nothing will occur to any future company.
Without any significant monetary threat, the ultimate cost of security breaches to a company isn’t truly a big deal.
Sorry for the long link: https://finance.yahoo.com/chart/EFX#eyJpbnRlcnZhbCI6IndlZWsi...
Really insane. I expected it to be shady but apparently it's a big business now!
Crossing borders is stressful enough as it is.
If there is now added worry that you might be flagged as a terrorist or lord-knows-what because some nefarious person now has your passport numbers and personal details... surely that must be worth something?
"Marriott currently has no incentive to spend money to do a good security audit."
I bet they've had good security audits.
Marriott is the victim of "cyber" crimes.
Marriott's customers are victims of Marriott's negligence.
I'd argue it has nothing to do with corporation or non-corporation. If someone is injured in a car accident due to an unfastened seatbelt, the driver is also potentially both a victim (assuming they weren't at fault for the accident) and guilty of negligence (for not making sure safety equipment was used properly).
Marriott was literally, prima facie, the victim of a hacker. The data didn't steal itself. Someone trespassed into Marriott's network and stole data that did not belong to them.
Legal culpability, while certainly not the strong point of HN, is a thing. Negligent, grossly negligent, and reckless conduct are technical terms that exist and have meaning.
I'm sick of replying to this because I don't like defending Marriott in this case. I hope they get a painful class action ruling. I think legal reforms around this are needed, but I am entirely unconvinced anyone here has a reasonable framework of regulations that would benefit anyone.
I agree with that criticism. It's not a crime to be a victim, but being a victim also doesn't mean you're not guilty.
Marriott might, however, still be liable for some damages due to not following common security practices for sensitive personal information. Anyone from California, for example, would have § 1798.81.5  and § 1798.91.04  which would backup their right to have their data handled properly. The FTC might also get involved with their fairly broad powers to protect users privacy (though that agency has been limited in this administration).
> " benefits from the crime."
These corporations are benefiting from their negligence every day when they save money by being negligent with security and facing no real consequences for it.
A huge corporation will mostly see a fine as a cost of doing business. It won't work when you're looking at negligence, or security, because you can hedge all of your bets on never being found out, or otherwise only being found out so far in the future that the negligence has already paid for itself.
Regulating the storage of sensitive information, same as you have with HIPAA and GDPR, presents a much stronger case for being more careful up front. You're no longer talking about negligence: the expectation for how you handle sensitive info is made clear right from the start, and you can treat egregious violations (like storing passport numbers alongside other account details like a physical address without securing the system) as malicious.
Think of what would happen if we punished the hell out of Marriot. Many of those people could lose their jobs and be unable to provide for their families, for something that didn’t really have much to do with them other than they chose to work at the wrong corporation.
No. And no.
I've never been asked which credit bureau I preferred to have my information given to or taken from. And while I have some say over which business hotel chain I stay at, ultimately it's up to my client or my employer to set the policy. If the rates at the Hilton are out of compliance with the company's willingness to spend, I'm staying at the Marriott.
Monopoly is the wrong word, but the sentiment of hopelessness is the same.
Above a certain wealth threshold, corporations and their CEOs are above the law.
I've worked with hundreds of companies' security teams. While I've seen a select few companies do a really great job, most were either negligent, incompetent, or both. I'm sick of the blame for this being laid solely at the feet of the abstract "hackers", rather than the people who make these attacks utterly trivial.
(Posted from a throwaway because Marriott may or may not be a customer of mine. Ugh.)
Not saying this isn’t a shitty hack, but I feel like the passport is the least secured document attached to me I have.
This entirely depends on your situation, for example I don't think there are many places where it'd be a huge deal for a white westerner to lose their passport.
Though, yeah, in Germany at least it's quite easy to replace passports
Security is a complex issue that requires custom, expensive, and ongoing solutions. So companies run by non-security professionals are going to trust the relatively cheap programs offered by these large providers.
Take startups. Having a security breach won't kill your startup. Being slow to market will.
Without a solid ROI, it probably won't turn into a gold rush anytime soon.
On the other hand if we cared about security we would not rush to assign a long lasting hard to change number to a person, and share it around... (Or worse in the case of SSN (for the U.S.) pick a number that is neither randomly assigned nor equipped with a validation mechanism.)
Anyone know the current state of the industry?
I've personally seen this at a few jobs. It can go both ways as often CS-saavy startup founders are the same way towards business majors.
The incident took place on the Starwood network (they bought starwood, a completely separate company with completely separate infrastructure), and this issue was discovered post acquisition and during the long running integration program (starwood had 2 breaches previously, so I guess it's not surprising). From what I've seen, if it wasn't for the controls implemented as part of the integration which formed part of Marriott's standard risk-averse approach to security generally, it probably wouldn't have been found for another 4 years.
It's complicated, and 99% of the "damn fool corporates and their evil ways!" comments are completely off the mark because they don't have the context.
The reality is that integrating another business is unbelievable difficult. Managing the (now significantly higher) infosec risks more so. You inherit a landscape with monsters you don't know about, and you still have to own whatever pops out. It's a really, really bad thing to have happened - make no mistake. And in time, the full story will out and opinions can be reached based on facts. Maybe they did screw it up. Maybe they could have done stuff differently. I don't think it's like equifax with a clear cut cause and effect, but a reasonably complicated ecosystem steeped in legacy systems opaque dependencies that is really hard to change.
It seems to be this generally accepted thing that whenever there is a huge breach, some people (aside from the person doing the breaching) have been utterly negligent, ignored all the obvious and really quite simple (I mean, just encryption all the things, amirite? duh!) and should be rounded up and shot at dawn. Perhaps - just perhaps - it's something that wasn't a result of negligence, and just wasn't foreseen because hard stuff is hard. Hindsight really does create the most impressive armchair strategists.
(no, I don't still work there. I left a few years ago. no, I don't think they're perfect. no, I don't think all corporations are evil incarnate looking to steal our data, only some of them.)
That said, there are fair number of common-sense low or zero cost safeguards any technical employees could implement to help mitigate threats.
The cost isn't in the safeguards. The cost is in the governance structures (i.e. time spent by mid-level managers) that ensure the safeguards are followed and applied consistently across the organization.
Encrypting database fields is basically free. Making sure all database fields that should be encrypted are is an expensive process.
Until there's a good reason to do so people aren't going to bother.
It may be worth considering that adapting said FLOSS software, doing the requisite custom integration work, and then doing a large migration successfully might all be perhaps slightly less free than the software you correctly and wisely point to.
The real costs and work is in the migration and adoption of new tools (regardless of the cost of the tools themselves).
They're already using a system that works for them, why bother changing to something else?
I believe it was in one of Henry Cloud's books on boundaries where I learned the idea that people roughly fit into three categories.
- they want to treat others well, and if you inform them of a boundary they've overstepped, they'll try to correct it
- they care about themselves within the framework of our society and laws, but are not keen on giving up anything for anyone else. If you want to enforce a boundary with them, you have to find a way to shift the consequences of their actions back onto them. Only if it hurts them, will they change their behavior
- they don't care about laws, society, decency, etc - you'll need guns and lawyers.
Right now it feels like many corporations are on a wide line between the second and third description above... what a sad realization!
The fines for neglect of personal customer data need to be so high that the boards of these companies and their shareholders demand that their executives make security a priority.
HIPAA (https://compliancy-group.com/hipaa-fines-directory-year/) is a decent model and it does seem like security is taken more seriously in the healthcare industry in general. That being said, the actual fines are relatively low when you look at the size of some of these companies.
Anthem is one example: https://www.hhs.gov/about/news/2018/10/15/anthem-pays-ocr-16...
That was the largest HIPAA fine ever ($16 million) for a company that pulls in $90 BILLION in revenue each year and 79 million people had their information compromised in that event. That fine is basically a rounding error for them. Still, this outcome is better than what happens with most non-healthcare security compromises, which is basically nothing except "we're sorry, we take security seriously, and here is one year of credit monitoring."
According to their 2017 annual report , Marriot had $22.9bn in worldwide revenue. A 4% penalty on that would be $900M.
The question is probably if it is state of the art to encrypt passport numbers. If yes, then Marriot could be fine with a similiar argument of "the company knowingly violated its duty to ensure data security".
the grace period started two years ago until may 2018...
people seem to forget that the GDPR was technically already a law in 2016, it was just not enforced.
Does "select passport from customers" no longer work as a query? Or do you store an encrypted value in the table that you then decrypt on demand? Is the decryption performed by a microservice that add an additional layer that would need to be hacked?
That is precisely one model. In fact, there are hardened "vault" appliances designed for exactly this class of use cases. All sensitive PII is 1) encrypted on the vault and 2) replaced externally with a random token. Most of the time, the rule is that the plaintext PII is never removed from the vault. E.g. to compare a value, a new one is sent to the vault to (idempotently) to retrieve a token.
Done right, this gives you other features/requirements such as the ability to rate limit and set alarms on vault accesses. E.g. if someone were trying to brute-force retrieve vault data via token retrieval.
1. Most companies, even large ones, do not encrypt everything. Some do, usually because they have to according to some regulation of the space they operate in (HIPAA for example).
2. Passport numbers are a grey area. Is it public information? Is it private information?
3. Even if you encrypt your database, the key will most often be lying next to it. Unless your company really cares about security, because they have to by design, they will most often not architect an infrastructure that protects the key.
(4) the term “record” means any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, his education, financial transactions, medical history, and criminal or employment history and that contains his name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph;
...what? A database stops working as a database if you encrypt every field
If you encrypt at rest/in transit (which you should legally) then you're only protected against a very limited set of threats
Encryption is not going to save you if you have SQL injection or webserver breech
Encryption is good but protects against hardly anything, usually physical attacks, do not try and encrypt at the application level, password fields are encrypted because you should never need to query it
Passwords are the exception not the rule
As engineers, we are awed when flaws like Rowhammer and Spectre are exposed, but the fact is that a lot more data is being exposed by very simple means. The fact that corporations are still being breached by these efforts is troubling. I think it shines a bad light on both corporate entities and security consultants.
This also means, disks walking away are always encrypted. We physically shred all of our disks, but humans can make mistakes.
If you are encrypting your passwords you are already doing it wrong.
There's a lack of attention at the executive and organization levels in these major corporations, so they're not set up to deal with security threats in a forward looking way.
They tell developers to "not worry about it" and force deadlines on them that don't allow for doing things right.
I'm almost certain Marriott has security people telling the higher-ups that they need to do X to protect security, but if other companies are not subjected to that same risk, revenue growth is always going to win over security.
This will never change until governments start holding these companies liable with severe penalties that are not simply "the cost of doing business."
Companies seem to have no idea who is who.
90% of their IT staff's time was calling up their vendors support teams and convincing them to join a conference call together and then telling vendors from different companies to just make it work, whatever it was. They thought that was just how you did things.
Eventually we told them "naw we're not doing that anymore stop eating our support team's time". They threatened to move on to another vendor and tried... but couldn't actually pull it off because... they simply didn't have the manpower or technical knowledge.
Once the file system is mounted the filesystem is unlocked. This is way things like LUKS which has bee around forever work today.
Give it to the spy organization.
Not being snarky. That was meant as a serious comment. Maybe there is some kind of requirement to inform the appropriate organizations of the passport numbers of any foreigners in your hotel?
Somewhat OT but I was in Europe last month on a business trip. There's a knock on the door one evening. Imagine my surprise in discovering it's someone from the hotel who has come up with a few edible goodies for my birthday. On the one hand, it was a nice gesture. On the other, I was a bit taken aback. Where did they get that info?
I didn't really want to ask but a friend of mine later reminded me that they probably got it off my passport. I suppose this might have just been an informal process at this particular hotel. But I wouldn't be shocked to learn it was put in the chain's database.
Hard to share any very useful insights on this, it's just the state of most things.
I'm not quite sure what you mean, but the answer is probably no.
>Can hotels be fined if they’re found to not be GDPR compliant?
Sure, but is anyone GDPR compliant yet? I'd imagine that all the DPAs in EU are extremely busy right now.
In the UK, there's no need because it's an island, so passports can be more easily screened at the borders.
In the UK, "The Immigration (Hotel Records) Order 1972" says:
> 4.—(1) Every person of or over the age of 16 years who stays at any premises to which this Order applies shall, on arriving at the premises, inform the keeper of the premises of his full name and nationality.
> (2) Every such person who is an alien shall also—
> (a)on arriving at the premises, inform the keeper of the premises of the number and place of issue of his passport, certificate of registration or other document establishing his identity and nationality; and
Some countries (China and Russia spring to mind) require you to register your lodgings with the police, which the hotel do for you. It seems standard practice to hand over your passport at international hotels.
Israel sometimes has more nefarious reasons than tracking where foreign citizens are
A Serious Organised Crime Agency investigation into the misuse of UK passports in the murder of Mahmud al-Mabhuh in Dubai in January 2010 found circumstantial evidence of Israeli involvement in the fraudulent use of British passports. This has raised the possibility that your passport details could be captured for improper uses while your passport is out of your control. The risk applies in particular to passports without biometric security features. Only hand your passport over to others (including Israeli officials) when absolutely necessary.
This is the case in most countries I've traveled to.
Airbnb and similar tend to be vastly friendlier to privacy-conscious travelers, usually collecting less than legally required (they also do a very bad job of verifying what they do collect).
Yeah, in the US the hotel situation tends to be significantly better than in the EU.
It's a requirement for hotels to have passport numbers in many jurisdictions. Have you never used a hotel before?
I've never had a hotel ask for my passport when traveling in the US as an American for example. I'm sure they would take it if I offered, but my drivers license is considered sufficient.
Note that in the EU, at least, the data is not sent to the government authorities, but it must be available to them.
In the US to get a passport isn't an arduous process, but it isn't easy nor cheap; when I got mine done (full thing - card and actual passport), I had to first get a passport photo taken and paid for (walgreens), then go to a local courthouse during a weekday (which I had to take off the time for), then pay a bunch of money (oh - and I had to give them my birth certificate and some other ID - which I got back when I received my passport weeks later) - then wait.
I think there were fingerprints involved too...
Anyhow - it wasn't an easy or cheap process, but I can understand why they make it that way. But for most people in the US, unless they travel internationally, they never obtain a passport, because of this process. It is only set up for people who can afford it (both in time and money).
So - if it is a requirement in other areas of the world, then receiving or obtaining a passport would have to be made easier for those who couldn't afford the time or money; time could be made by legislation making employers provide time for doing such a thing, and/or keeping courts or wherever to process the applications open on weekends or have later hours or something.
Of course - we are talking about "non-US" places, which seem to have far saner social policies under which this would fall...
In my experience, hotels only need a passport or similar identification for non-citizens or non-residents — both would usually have a passport or equivalent to be in a foreign country.
(But to answer your question, for a first adult British passport one needs a digital photo, birth certificate, and a parent's passport number. Everything is done online.)
form of identity.
concierge service to lookup status/book travel for guests.
They could even optionally store one or more profiles that you could use for streamlining your interactions with various private industries: financial services, health care, employment, shopping, and travel could all have separate datasets about you stored for convenience.
Then when you want to do business with a company, you grant them access to the appropriate profile. When you conclude your business, you revoke access.
The same would be great for phone and email networks. Basically instead of giving someone your contact info, you give them a voucher to contact you. They call or email to the service and include the voucher (all automated) and the service either forwards it along or ignores it based on whether the voucher is valid. And you can invalidate any voucher at any time for any reason.
For people that like things simple, they could use a single voucher for everything, but for people who want more control they could do separate vouchers for everyone, or some easier middle-ground like family, friends, professional, commercial, and misc.
Faking DNA; well for that it would depend on how the test was administered. A cheek swab would be reasonably easy to fool, a blood draw less so if administered carefully. This is all assuming no corruption or anything; DNA tests contain no cryptographically attestable proof of match.
Any who knows, with DNA based therapies you might find yourself unable to pass a DNA test for yourself in the future.
In contrast, if you have public-key encryption people are going to build systems on the assumption that your private key is only available to you despite several decades of history showing that's not a safe assumption.
In person the government will have their own redundant and convoluted process to verify you before giving you a message to sign, just like today to reissue a SSN
A leak of lots of non-secret data (eg email addresses) is an integrity problem not a security problem. A leak of passwords or other secret data is s security issue.
People treat your SSN as a password, when really, it just uniquely identifies you. Its basically an Email Address, not a password.
not even. you need other data points, like DOB, to build enough uniqueness, and there are still many stories of collisions.
Try working face-to-face in communities of recent, poor immigrants where five, six, even ten people using the same (likely purchased) SSN is not unusual. I've seen entire families using the same SSN.
Wouldn’t most people’s SSN’s be leaked already so using SSN rather than proper ID isn’t much better than nothing?
Some are finally requiring a PIN or passcode, but very few in my experience.
I'd rather see something like Bitcoin's HD wallets used for identification - your private keys are on a hardware device, but you can generate new "personal identifiers" for use with public services that, if compromised, could be burned through a central registry without requiring a replacement of the private keys.
That said, you may also want to consider that a system design may want to have the ability to re-issue private keys. It's wise to assume that hardware dongles may, in the fullness of time, prove attackable. Certainly many Bitcoin wallets have.
It would be unreasonable to charge people a fee for a basic requirement of being enabled to be verifiable by their government. Especially if the system you're imagining is to be used for things like identification to establish voter eligibility.
Your idea of using income levels is an interesting and intriguing one. Thank you for bringing it forth for discussion! However, have you considered that it may pose some complications, such as how one can document and prove income without a way to prove identity in a system where every such document is tied to identity? Might it not be easier to skip that administrative overhead entirely?
I can well imagine everyone receiving a hardware key generator for personal identification purposes. Some id cards already have something similar and it shouldn't be all too expensive.
How would any of those be feasible with coarse mapping of ID to human?
If I tell you that i am Spooky23, 123 Main St, anytown, AK, email@example.com, what more uniqueness do you need?
Hoarding passport numbers, drivers licenses, ssn, etc usually doesn’t serve a legitimate purpose. When it is required to meet compliance or other requirements (say an payroll processor who needs an SSN to withhold taxes), it needs to be protected and have access controls.
Marriott does not have any need to authoritatively know who I am beyond payment arrangements. I'm not borrowing money from Marriott, so they don't need my SSN. They may need my passport when I check into an international hotel to meet compliance requirements, but they don't need to store it in a reservation system, and don't need to store it beyond the international jurisdiction where I checked in.
Name, address, and email probably isn't fine-grained enough, as multiple people can all share the same information - and name isn't enough because some people name all their kids the same, sometimes the same as the parents (yes, it is crazy insane, perhaps narcissistic - but people). Then there are those who do similar things for fraudulent reasons.
In theory (I'm sure there are ways around it) no two people should have the same passport and passport ID number. Now, not everyone has a passport, but if they do, and they are travelling internationally, Marriott likely would rather have that information, so they can track you as you use their services in multiple places around the world (and offer you various amenities, upgrades, advertising, etc of course)...
That would be my guess.
Less nefariously*, I did a bit of digging and in the UK, hotels are required to record an ID for aliens (ironically, there is no central ID system in the UK, which I assume is why it's for aliens only). If the liability is on the hotel in case of incorrect information, it makes sense they would require the most common form of internationally recognized ID (a passport).Italy has a similar system introduced in the 30's by the fascist govt at the time for keeping track of who was where when. If I were an international business,it would make sense to me to comply with the regulations everywhere rather than try selectively enforce it.
(Nefarious-ness of Marriott. Not necessarily a comment on trusting the people who came up with the law in the first place)
Hoarding numbers serves the very purpose of ensuring a unique assignment. For instance, if "the" department of transportation did not have a "global" database, then it would risk minting the same number twice. That having been said, it is true that knowledge of a "master" identity is not a requirement for making payment arrangements.
For most commerce, I need to be able to tell that you are the same “Spooky23” who was here last time.
If you need to positively and authoritatively identify me, collecting numbers is not sufficient. End of the day, these companies are either overcollecting for convenience or doing a poor job of collecting information for compliance purposes.
Or both. Overxollecting makes sense at a global level (all systems the same everywhere), but even if they only collect what they need they're clearly not treating it correctly
In response to your moved goalposts: how is storing the passport ID different from storing the address or email? Are all three not "externally defined unique IDs"?
I didn't say these things were impossible, just that they are about collecting debts, so I've tried to respond below by showing how they allow parties to collect debts.
- Personalized tracking for marketing and advertising use cases is about changing subject behaviors, so that they spend their time and energy on things that other people want them to spend it on. Grocery store "loyalty" cards are one of many examples of how we cede agency -- in this case, allowing a corporation to assign a debt in the form of coupons that predispose us to buy a particular item. Does the 49 cents off the chocolate treats make the 30g of sugar more healthy? This is textbook predatory behavior.
- Phone numbers are a thing because we rely on centralized communications where the phone number is associated with an account billed monthly for collecting a usage debt. However, with technologies like torrents and WebRTC this is changing. In the future, maybe you provide each of your friends and family with a unique signature that allows them to look you up on the net?
If I could give up my phone number, it would certainly cut down on all of the robocalls and spam I get every day. This isn't novel or weird: many people already hand out email addresses of the form firstname.lastname@example.org to bucket spam.
- A physical address is a weird example because it identifies a physical location, not a person. I am not my home address; I just sleep there sometimes. Sometimes, I'm sleeping somewhere else.
- Club membership? That's easy - if you're paying for membership, then they need an account id to collect the debt for your membership. If you're not paying for membership, they don't need an ID. There are lots of clubs or meetups that don't require IDs -- the evening tech meetups/bar crawls around Seattle, for example.
- Passports, Customs, and Borders exist as a mechanism for the state to collect taxes on goods crossing international borders. Not the only mechanism, just one of them. Governments are currently struggling with goods and services crossing international borders digitally bypassing these checkpoints. I'm not sure, though, why you think passports are a humane thing -- we put tags on livestock.
(not the op)
My medical history is mine; it's ultimately not yours. If you need my medical history, allow me to give you limited access to it.
Now, if your billing is opaque and you're playing shenanigans with the insurance companies about who owes what, then sure, you need my Passport, SSN, DNA, Real ID, and biometrics -- and you should probably hold my medical history hostage too -- to make sure that you can collect on the debt.
Unless they ended the program, you forgot the word "yet"
That's a bit of an overreaction. It has at least guaranteed that the intruder has active keys on a relevant system that can access the data. It ups the ante with reasonable/minimal cost.
Encryption at rest is a defense-in-depth approach allowing you to be sure that e.g. some random stolen backup image (perhaps of a 3rd party system) doesn't expose your etc/shadow or user tables for subsequent rainbow-table attacks.
There are also certain types of encryption at rest where it buys you absolutely nothing though, e.g. using AWS' builtin encryption at rest for S3. No one is going to break into the AWS datacenter and steal the data from the physical disks.
This really comes down to companies simply collecting way too much information. Consumers need to push back against this type of data collection. Only give information which is clearly required for their business and nothing more. Also the companies should only retain that information for long enough to conduct their business.
I love that when I’m traveling for business everything is arranged for me, but I hate that I get put in situations where I’m booked into big hotels with policies like this.
Increasingly it seems like there should be some kind of regulation that (with exceptions) if a good or service costs money, you should be able to buy it in exchange for money, and refuse to provide personal information even if requested.
Or to put simply: Passport numbers make identify theft easier.
I think I have become numb to this stuff. I just assume it’s all out there and thus keep an eye on my credit reports, et.al.
I am more pissed about the basic level of OPsec I see at these companies. I am even more worried about the same thing at our Defence contractors and related companies.
Guests need to be offered the question of whether they care to share X data, and guaranteed that a "no" answer will not affect their ability to do business and receive services in the slightest -- nor the price they receive.
Many people scream bloody murder WRT regulation. However, here we have a clear and repeated industry failure -- one with significant knock-on costs and risks.
So, tough. You failed.
I could also cough up a protest on my part against the whole misleading notion of "self-regulation". And point out that in an era of increasing consolidation into brands under very few and very large holding companies, effective competition -- including and with respect to data and security practices -- is largely absent.
P.S. Where data collection is required, standards and aggressive auditing should be funded and enforced.
People in the U.S. generally seem to have no problem with FDA regulation and inspection of meat production. (Not realizing how industry political initiatives continue to stress and periodically threaten this, e.g. inspection budgets.)
Well, it seems we're to the point of needing and FDA for data, or something like.
I say this with trepidation. And any initiative should come with a healthy dose of "audit the auditor", to keep requirements and process transparency to a maximum and minimize the governments' own carve-outs and attempts to siphon off the data whose processing are under inspection.
Back to my accounting days. How do you prevent mistakes, error, and fraud? Well, orthogonal processes with robust cross-checks certainly help.
Requiring credit cards, government issued photo ID, age over 21 are all methods of preventing guests who trash rooms, sneak in pets and cause noise disturbances, underage partiers, pimps and hookers, drug dealers, excessively dirty and causing pest problems etc from messing up the business. Same with car rentals and flights. Some people are problematic, and it affects other customers, and you need a way to mitigate the problem.
In the US, almost all local ordinances require hotel operators to keep track of who is staying in which room for a year or so (some even require photocopying, although that's not always followed), and to hand over that info to police whenever they demand it.
This data breach is reporting every week, yet nothing is being done.
Also, in general, be conservative about what PII you collect; hackers can't steal information you don't have.
UK ICO hopefully will intervene in few months.
In USA remedy actiona are class action lawsuit driven and corporations do not have incentive to change their behaviour.
Truth is, lots of extremely sensitive data exists in insecure states all the time.
So, yes, I draw a distinction between numbers that we hand out willy-nilly and truly sensitive information. There's a big difference between my checking account number and my health records.
This would only require a name, not a passport number. A passport number would simply be of no use here, there doesn't exist any¹ automated mechanism for Belarus to verify foreign passport numbers.
¹Well OK, with biometric passports it is possible to cryptographically verify some data.
At least right now the NFC chips simply have no effect on passport forgeries.