Marriott Data Breach Could Change Passport Laws and Security

Companies may have to notify guests if their passport numbers are stolen.

The Marriott data breach that occurred in late-2018 could lead to several new laws when it comes to stolen passports.

Marriott-owned hotel chain Starwood admitted to a breach of their guests’ data that was quickly named the largest personal record theft in history. Early reports had nearly 500 million guests at risk of the breach, but that number dropped to 383 million.

For millions of travelers, that also meant their travel documents were at risk. The hotel chain admitted passport numbers were also stolen in the breach.

Whether encrypted or not, no passport numbers were safe. Marriott’s CEO stated over 5 million unencrypted passport numbers were exposed, along with 18.5 million encrypted digits.

While the Marriott breach broke records, stolen passport info is not a new situation.

The United States Office of Personnel Management (OPM) also announced stolen information in June 2015. The OPM reported that hackers stole 5.6 million sets of fingerprints. The fingerprints belonged to federal employees.

While leaked information of this size is always a problem, it can prompt positive change.

Some have pointed out need for better cyber security at such companies. Marriott also admitted to possible plans to change where they store those passport numbers. We may also see a change in how companies respond to similar breaches in the future. After the dangers from both OPM and recently Marriott, legislation could be coming to help customers.

Though Starwood revealed the data breach, companies aren’t currently legally required to disclose such situations. Even if passport numbers or biometric data have been stolen, they don’t need to tell customers.

California Attorney General Anthony Becerra recently launched a bill to alter that rule. The bill requires companies to inform customers when their biometric data or passport numbers have been compromised.

Becerra’s bill should close loopholes in California laws, the state where Marriott’s leak took place. Data breach notifications laws would now force companies to notify users if passport information is stolen.

Currently, under California state law, a breach of only some personal information requires a notice to customers. Those include Social Security numbers, driver’s license numbers, banking and insurance information.

“We have an opportunity to make our data breach law stronger,” said Becerra. He added that this legislation could create problems for cybercriminals in the future. Companies could take more steps to protect passport numbers, knowing such a breach would go public.

While this appears to be a step in the right direction to protect passports, California remains one of the only states with such protection.

Do you have any questions about your own passport safety? Do you need help getting a passport for any upcoming trips? Passport Health can help! Give us a call at or take a look at any of our other passport and visa services.

Written for Passport Health by Jerry Olsen. He has over 15 years of combined experience as a writer and editor in Salt Lake City. Jerry’s writing topics range from health care, travel, life science to medical technology and technical writing.