#1243177: Companies Fail to Protect Passport Data, Exposing Customers to Criminal Schemes
Millions of passport numbers were exposed in recent data breaches, including incidents at Marriott International Inc. and Cathay Pacific Airways Ltd. Companies and individuals often fail to protect passport information, which security experts call the most sensitive form of personal data.
Because passport numbers are tied to only one individual globally, they’re most valuable for espionage, researchers say. Government-sponsored hackers could track company executives who travel frequently more easily if they have access to passport data.
“There will be high net-worth individuals, politicians, somebody of huge value to nation-state actors, and these people may suffer the most,” said Andrei Barysevich, director of advanced collection at cybersecurity firm Recorded Future Inc.
Around 5.25 million unencrypted and 20 million encrypted passport numbers were compromised in a four-year cyberattack against Starwood hotels, parent company Marriott said last week. Equifax Inc.’s 2017 data breach exposed 3,200 images of passports and passport cards, the company revealed in a filing to the Securities and Exchange Commission last year.
Hackers are going after airlines -- likely keepers of passport data. A breach of Cathay Pacific’s networks exposed around 860,000 passport numbers, the airline said last October. At Singapore Airlines Ltd. this month, a software glitch exposed seven customers’ passport numbers. The airlines didn’t respond to requests for comment.
On the dark web, the average price of a scanned passport document was $14.71, as of September 2018, according to research from Comparitech Ltd. Many passport scans were sold in packs of 10 or up to 100.
Criminals can use stolen passport numbers in schemes to take over users’ online accounts or as part of physical crimes that call for credentials or forged documents to impersonate a victim and open accounts, travel or gain access to restricted areas, experts said. Nation-state hackers who have access to government records of who travels to and from a country could match stolen a passport number and track an individual’s movements.
“Passport numbers are a global identifier. That’s pretty much the best identifier you can get,” said Avivah Litan, vice president and distinguished analyst at Gartner Inc.
Companies often protect credit-card data better than they do passport information, Ms. Litan said. That’s in part because industry standards mandate that companies that process credit card must mask it with techniques such as encryption or hashing. They are also required to use software to protect against viruses.
In the absence of similar standards for passport information, she said, companies can improve protection with tools.
Security tokens, or bits of code, can replace passport numbers with random identifiers, she said. Or, companies could use devices known as hardware security modules that generate and store encryption keys, as well as verify signatures used by anyone who accesses encrypted passport numbers. Companies would store customers’ encrypted passport data in those secure machines.
These tools would make the information useless to thieves, Ms. Litan said.
Marriott used the same standard of encryption to protect some passport numbers as it used to secure credit-card information, a spokeswoman said, but Starwood didn’t. Marriott phased out Starwood’s separate reservation system at the end of 2018, she said.
While some local Marriott hotels do store passport information, the company is trying to encrypt all passport data it retains, according to the spokeswoman. “We are looking into our ability to move to universal encryption of passport numbers and will be working with our systems vendors to better understand their capabilities, as well as reviewing applicable national and local regulations,” she said.
|Date added||Jan. 11, 2019, 2:58 p.m.|
|Source||Wall Street Email|