Passport numbers stolen from Marriott provide scammers with another ID theft tool

It's another piece of data that can be used to sell "fullz," or full stolen profiles used to commit identity theft.

Hackers who spent four years lurking inside the Starwood hotel chain’s guest database now have a valuable piece of the puzzle for stealing victims’ identities: passport numbers.

Marriott announced Friday that the stolen information on 327 million people “includes some combination” of passports and other personal information, such as phone numbers, email addresses, or payment card data. A passport number alone may not be especially valuable, but fraudsters can incorporate that information into an identity theft scheme, making those attacks more likely to be successful.

Sen. Chuck Schumer, D-N.Y., on Sunday called on Marriott to pay the fees to replace each U.S. customers’ passports stolen in the breach, which amounts to $110 per passport holder.

Marriott did not immediately respond to a request for comment Monday about why Starwood collected guests’ passport information.


The breach also provides scammers with other detailed information they can combine to gather a detailed view of an individual’s travel habits, such as check-in and check-out history. Hackers also can leverage a Department of Homeland Security website to track how, when and where someone travels, Popular Science reported. Thieves would be able to select their best fraud target by plugging stolen information into that site and identifying their habits.

Banks, insurers and phone companies may ask new customers for their passport information, meaning thieves now can use the same information to open a new account in someone’s name.

Hackers also can aggregate passport data into existing files about an individual, selling a passport number alongside a person’s bank account details, credit data, username and password credentials. Cybercriminals typically advertise an individual’s entire online identity as a “Fullz” file, which could be sold for roughly $1,000 on web forums, according to the Register.

It remains unclear whether nation-state spies or a gang of cybercriminals motivated by profit were behind the Marriott breach. But in either case, it’s unlikely the parties responsible will exploit the stolen passport numbers alone for travel, or to access sensitive government records about breach victims. That kind of access would require physical access to U.S. citizens’ physical passport book, the U.S. State Department said in a statement to CNBC.

“With respect to U.S. passports, we would like to assure U.S. citizens that the U.S. passport book and passport card are highly secure documents with numerous security features designed to prevent successful counterfeiting,” the department said in a statement.

Jeff Stone

Written by Jeff Stone

Jeff Stone is the editor-in-chief of CyberScoop, with a special interest in cybercrime, disinformation and the U.S. justice system. He previously worked as an editor at the Wall Street Journal, and covered technology policy for sites including the Christian Science Monitor and the International Business Times.

Latest Podcasts