Marriott breach: Here's the risk of a compromised passport number

  • Marriott announced Friday that 327 million consumers affected in its data breach had information compromised that could include a passport number, among other data.
  • Experts say thieves could use your passport data in conjunction with other personal details to verify your identity in opening new accounts or gaining access to existing ones.
Unrecognizable traveler checks in at the airport by using a self serve kiosk.
asiseeit | E+ | Getty Images
Unrecognizable traveler checks in at the airport by using a self serve kiosk.

A compromised passport number could be your ticket to identity theft woes.

Marriott International announced Friday that hackers had accessed the reservation database for its Starwood Hotels brand, compromising data for 500 million guests.

For 327 million of those affected consumers, the hotelier said, the information compromised "includes some combination of" data points including name, mailing address, phone number, email address, passport number and date of birth. Some of those guests may also have had their payment card information compromised.

"For the remaining guests [in that 500 million total], the information was limited to name and sometimes other data such as mailing address, email address or other information," they said.

Experts say the potential for stolen passport numbers makes it more important for affected travelers to keep an eye on their accounts and take steps to protect themselves. (See tips below.)

"To replicate a passport takes a lot of effort. I wouldn't necessarily consider your passport compromised." -David Kennedy, chief executive of TrustedSec

While plenty of individuals deal with a lost or stolen physical copy of their passport, it's less common to see passport numbers included in a breach.

"Passports compromised on a massive scale is somewhat unusual," said Eva Velasquez, chief executive and president of the Identity Theft Resource Center.

But not unheard of.

In August, Air Canada announced its app suffered a breach affecting about 20,000 users, and warned that passport numbers and other details may have been among the accessed data if users had provided them. Equifax said earlier this year that 3,200 passport images were stolen last year as part of its 2017 breach affecting some 148 million consumers.

One of the worst-case scenarios would be someone forging a passport with your number, leading to criminal identity theft. That risk is likely low, said David Kennedy, chief executive of TrustedSec, a white hat hacking and cybercrime investigations company.

"To replicate a passport takes a lot of effort," Kennedy said. "I wouldn't necessarily consider your passport compromised."

Nor are breached passport details necessarily as dangerous as having your physical passport go MIA.

"There's not much that can be done with a passport number alone, as long as you have the actual passport in your possession," said Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse.

More from Personal Finance:
On the IRS naughty list: You failed to withhold enough pay for taxes in 2018
7 steps to start paying back your student loans
Online lending hasn't removed discrimination, study finds

Concerned consumers should reach out to the State Department to determine next steps, which might entail reporting that passport as lost or stolen, Velasquez said. Renewing your passport would also result in a new number, Kennedy said.

In an emailed statement to CNBC, the State Department said that it was aware that some individuals' passport numbers may have been disclosed in the Marriott breach, but that compromised passport numbers could not be used by the thieves for travel or to access any State Department records on that citizen.

"With respect to U.S. passports, we would like to assure U.S. citizens that the U.S. passport book and passport card are highly secure documents with numerous security features designed to prevent successful counterfeiting," the State Department said, in a statement.

The bigger risk for consumers is that combined with other data — including many of the other elements compromised in the Marriott/Starwood breach — having that passport number helps criminals build a profile of you that could be used to perpetuate other kinds of fraud, Stephens said.

Those credentials could be used to verify your identity to open new accounts online, or gain access to existing ones. All the more reason to take steps such as enacting two-factor authentication and setting up unusual transaction alerts on existing accounts, and freezing your credit to prevent new accounts from being opened.

"Really monitoring your credit is going to be important," Kennedy said.