Hackers stole over 5 million unencrypted passport numbers from Marriott - Message to Corporates: You need to Legally Protect Privacy Information you Collect
Many (all?) hotels collect ID and passport details from customers, as do many other organisations even when it is not absolutely needed. Thing is, if you're storing it you have to protect it or face the consequences. Many countries now have some form of POPI Act which results in legal liability if that data is breached, and in some cases resulting even with the CEO being jailed. Gone are the days of just storing this information in an unencrypted database.
In South Africa, for example, the POPI Act says information should only be stored if there is a real reason to do, and only for as long as is needed, after which it must be safely erased. South Africans are also entitled to ask such a corporate what information is being stored about them.
See the Marriott International Hotels incident at #^https://mashable.com/article/marriott-hackers-5-million-passports/