The Marriott data breach exposed millions of passports. Here’s what thieves can do with them.

A passport is an important document and the information on it is gold for identity thieves.

Passport number
A biometric passport has the rectangle with the circle inside on the cover. Stan Horaczek

This morning, Marriott hotels revealed that an “unauthorized party” accessed its Starwood reservation database and made off with information regarding roughly 500 million guests. The hotel chain has reported the breach to the authorities and now begins the long process of sorting out just how violated each affected customer really is.

The leaked information is mostly what you’d expect—personal data you have to fork over when checking into a hotel for the night. That includes standard stuff you might lose in a typical breach, like your name, email address, phone number, and date of birth. Some credit card info also got out, but the chain says it’s not sure if the perpetrating scoundrels have the ability to decrypt it. What’s not typical, however, is the fact that the breach also includes passport numbers, a fact that comes with its own some specific risks.

How serious is it?

“Passport data is something you should hold onto more tightly than something like a driver’s license,” says Pam Dixon, executive director of the World Privacy Forum, a nonprofit public interest research group focused on privacy and security. “The biggest problem is that if someone is able to get a passport with your identity, they can cross jurisdictions. The nightmare scenario is that you travel overseas and someone has committed a crime there in your name.”

Fake passports have been a best-selling item on the black market for decades, and a fake U.S. document go up to $4,000 and beyond for someone who wants to impersonate a U.S. citizen domestically or when traveling abroad. While traveling with a fake document is increasingly difficult (more on that in a moment), a passport can provide a second form of ID typically required for opening accounts or proving residence.

What can hackers learn from your passport number?

Unlike some other hacks in the past, the Marriott breach gives up a lot of information about victims’ travel habits. By observing the check-in and check-out information, hackers can piece together a rudimentary travel history, but the passport number takes it a step beyond. According to the Department of Homeland Security, you can track your international travel using this online tool, which is available to the public. It requires your full name, your birthday, and your passport number, all of which were part of Marriott’s leak.

According to Dixon, that can be valuable information for hackers trying to pick the best victims. “If you’re the type of traveler who doesn’t go many places and keeps your passport in the drawer, that might make you a great target,” she says. “It decreases the odds someone will notice the fraud.”

A piece of the fraud puzzle

The Marriott hack doesn’t exist in a bubble. According to Gates Marshall, director of cyber services for information security and consulting firm, Compliance Point, roughly 800 million personal records have been compromised in November of 2018 alone, including other companies like Dunkin Donuts. “Attackers can aggregate that information and cross check it with lots of public information that’s already out there on social media and other public channels,” he says.

One way to get a fake passport is to use personal data to apply for a new one by reporting the old one lost or stolen. The process for applying for a new passport online is relatively simple and requires filling out a form that’s similar to signing up for a new streaming service or making a purchase—with a few extra requirements.

The most challenging part of re-applying is having a social security number for the victim, but Equifax leaked millions of those earlier this year. Beyond that, everything on the document (which you can also submit in person) could potentially be a part of Marriott’s leak or wrapped nicely into a bundle of identity information sold on the dark web.

Doesn’t biometrics make fake passports useless?

The amount of biometric protection baked into passports customs systems around the world—as well as compatible airports and other travel facilities—has climbed substantially, but support is still extremely spotty and unpredictable. If you have renewed your U.S. passport since 2006 or 2007, it likely has biometrics built-in. You can tell by the rectangular icon with a circle in the middle on the cover. It’s an added level of security, but techniques for fooling biometrics systems have already popped up to help fake passports more useful for illicit behavior.

“A technique called morphing helps some fake documents pass biometric tests,” Dixon says. It’s a process that involves using image editing techniques to combine the face of the victim with the face of the criminal into an amalgamation that’s close enough to get by basic face scanning or, even easier, a simple visual once-over from a human guard. In other words: the criminal uses their real face, but the accompanying photo on their document has been doctored. It’s the driving force behind a black market for selfies which currently exists on the dark web.

Should you replace your current passport? Getting a new passport is a relatively straightforward process and will assign you a different number specific to your new document. The old number will go out of service just as if you had gotten it replaced due to loss or theft. Still, it’s time-consuming and relatively costly, especially if you have travel visas attached to your document, which would terminate when you get the new number. If you’re close to expiration on your passport already, this is a good time to just get it out of the way, but if you want to renew earlier than the typical one-year window, you may need to explicitly explain why you’re doing it so far in advance.