Marriott is considering changing the way it stores passport information — that is not without risks — in the wake of the breach of the Starwood reservation system that Marriott announced in November.
In testifying before a Senate homeland security subcommittee, Marriott CEO Arne Sorenson said Thursday in the future all of the passport data it obtains likely will be encrypted, and the chain will likely opt to store passport information at the property level instead of in a centralized database. The hearing was convened to discover if legislation is necessary to prevent large-scale data breaches in the future. (A video of Sorenson’s appearance before the subcommittee is embedded below, and his prepared remarks are there, as well.)
Sorenson noted that numerous countries require hotels to collect and even make physical copies of the travel document when guests check in. Starwood, which Marriott acquired in 2016, traditionally collected passport information and transferred it to a centralized platform; Marriott likewise gathered passport data locally, but didn’t transfer the information to a centralized database.
“I think we’ll look very hard at not centralizing any of it,” Sorenson said.
He said storing the information locally would make it a smaller target for hackers, but on the other hand Marriott needs to ensure that it can provide adequate cyber security tools to properties to protect against further breaches.
Sorenson said that as part of the 383 million guest records that were comprised in the 2014-2018 hack of the Starwood system, information about guests’ companions may have been exposed.
In an issue that hasn’t received much, if any, attention, Sen. Kamala Harris, the California lawmaker who’s chasing after the Democratic presidential nomination, asked Sorenson whether information about who stayed in guest rooms along with the person who made the reservation was also part of the breach.
Sorenson said in many instances, but not all, a hotel might have collected who was sharing the room with the guest, whether it was a spouse, child or someone else. “Certainly it could have happened in some circumstances,” Sorenson said.
Harris asked Sorenson if all of the travel companions had been notified. Sorenson said Marriott issued a press release about the Starwood breach, sent some 50 million emails informing customers, but conceded about travel companions being notified that it’s possible that some people “slipped through the cracks.”
At any rate, Sorenson said he doesn’t believe that any information about currently upcoming reservations were affected by the hack since Marriott generally takes reservations only up to about a year ahead.
The hearing centered on data breaches, and the morning session, when Sorenson appeared, saw credit agency Equifax getting the bulk of the attention.
The tone of the hearing was cordial, but still there was some pushback to Marriott. When Sorenson emphasized that 18.5 million of the more than 23 million passports compromised passports were encrypted, Sen. Maggie Hassan, a New Hampshire Democrat, countered that hackers can often beat encryption.
Due Diligence During the Merger
Sen. Rosen Jacky Rosen, an Arizona Democrat who previously was a software developer, told Sorenson that when she worked on mergers she had Information Technology teams auditing the acquired company’s systems as part of due diligence.
Sorenson in 2015 before the deal to buy Starwood was signed, Marriott had an IT team performing due diligence on Starwood stems for three-and-half weeks. “It was quite brief and we didn’t learn about any of this,” he said, referring to the Starwood breach that began in 2014. In the year prior to the deal’s closing in 2016, Marriott’s IT team was “deeply engaged,” Sorenson said.
“In retrospect, we wish we had done even more,” Sorenson added. “Obviously something happened.”
Asked by Rosen whether China was responsible for the Starwood hack, as U.S. Secretary of State Mike Pompeo alleged, Sorenson said “the short answer is we don’t know.”
Sorenson said Marriott has shared as much information as it can with the FBI, and that the company’s focus now is to ensure the “doors are closed” to further cyber attacks.
In his prepared remarks, Sorenson said “we deeply regret this incident,” referring to the 2014-2018 Starwood breach.
Subcommittee chairman Tom Carper, a Democrat from Delaware, argued that Starwood officials weren’t telling the truth about a November 2014 to October 2015 breach that affected payment systems at 54 properties. Carper said Starwood officials released a statement at the time indicating that the breach did not impact guest reservations.
The 2014-2018 breach, however, appears to have been a separate attack.
Here’s a video of the hearing:
Marriott CEO Arne Sorenson’s prepared remarks before the Senate Committee on Homeland Security & Governmental Affairs Permanent Subcommittee on Investigations.