U.S. Senator Charles Ellis 'Chuck' Schumer considers that Marriot should be the one to pay the $110 bill for their customers' new passports following the massive data breach suffered by the international hotel chain.
As reported by The New York Post, the New York Democrat said in a statement released on Sunday, December 2 that "Marriott must personally notify customers under the greatest security risk immediately and then foot the bill for those folks to acquire a new passport and number should they request it."
This is especially important according to Schumer given that the passport numbers and information the hackers stole during the Marriot breach can be used together with other compromised personal information in large-scale identity theft attacks.
Moreover, Marriot is the one to be blamed for their customers' personally identifiable information (PII) data since they relied on the hotel chain's ability to protect it, which unfortunately did not happen.
"Right now, the clock is ticking to minimize the risk customers face and one way to do this is to request a new passport and make it harder for thieves to paint that full identity picture," Schumer also added.
Marriott International disclosed a huge data breach on November 30 which affected 500 million guests from the chain's Starwood guest reservation database.
Marriot also had the POS software in some of its hotels hacked in 2015 and 2016
The security breach happened four years ago, in 2014, and Marriot found out about it on September 10 following an internal security alert noticed by one of their employees regarding an attempt to access the Starwood reservation database.
Marriot acquired the Starwood chain back September 23, 2016, adding to its assets the St. Regis, Four Points by Sheraton, Aloft, W, Design Hotels, Westin, Le Méridien, The Luxury Collection, Sheraton, Element, and Tribute Portfolio hotel brands.
Out of the 500 million guests who got their PII stolen in the Marriot data breach, 327 million of them had their name, phone number, mailing address, email address, and passport number, while for some of them AES-128-encrypted payment card data might have also been exfiltrated by the hackers.
The rest of the guests up to the total of 500 million only had a combination of name, mailing address, and email address stolen, with some other information not related to passports or payment cards.
Arne Sorenson, Marriott's President, and Chief Executive Officer said that "We deeply regret this incident happened. We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward."
This is not the first time the Marriot hotel chain was affected by security breaches seeing that some of its hotels had their point of sale systems infected with POS malware in 2015 and 2016, allowing the hackers to steal payment card data of some of their customers.