By Taylor Telford

The Washington Post

Following a colossal data breach that compromised sensitive personal information, including some passport numbers, of millions of guests, Marriott International agreed to pay for passport replacements if the company finds customers have been victims of fraud.

The breach, which took place over four years and affected 500 million guests, was different in its scope and the bevy of personal information hackers accessed through the reservation system of Marriott’s subsidiary, Starwood: gender, birth dates, email and mailing addresses and phone numbers. The hackers accessed passport numbers for a “smaller subset of customers,” Marriott said.

While the State Department said its records and systems were not connected to Marriott’s and that a fake passport could not be created with a passport number alone, experts and government officials have expressed concern the passport numbers, in concert with the other personal data, could pose serious risks of identity theft — and be a threat to national security.

On Sunday, Senate Minority Leader Chuck Schumer, D-N.Y. suggested Marriott cover the $110 charge for customers requesting new passports after the breach. Marriott believes the chance of hackers using passport numbers “is very low,” spokeswoman Connie Kim said in an email.

“We are setting up a process to work with our guests who believe that they have experienced fraud as a result of their passports being involved in this incident,” Kim said. “If, through that process, we determine that fraud has taken place, then the company will reimburse guests for the costs associated with getting a new passport.”

Hackers accessed the reservation system of Starwood hotels — which includes brands like Sheraton, St. Regis and Westin — sometime in 2014. The breach went undetected during Marriott’s acquisition of Starwood in 2016 and wasn’t discovered until early September of this year.

After Marriott announced the hacking attack Friday, the hotel giant was deluged with criticism about its security practices, and with questions about how it was doing to protect its customers.

New York Attorney General Barbara Underwood, Maryland Attorney General Brian Frosh and Pennsylvania Attorney General Josh Shapiro said their offices opened investigations into the Marriott breach.

For many other government officials, the breach has become a rallying cry for arguing for stricter consumer privacy regulation.

“Checking in to a hotel should not mean checking out of privacy and security protections,” Sen. Ed Markey, D-Mass., a member of the Commerce, Science and Transportation Committee said Friday. Marriott has set up a website and call center to answer questions at, and said it is emailing affected guests on a rolling basis.

The company is based in Bethesda, Maryland, and has more than 6,700 properties around the world.