90,600 Passport Scans Stolen from Hotels. Yours Might Be One of Them.

Imagine you checked into a nice hotel in Rome last summer. You handed over your passport, the receptionist scanned it, and you went to your room. Normal Tuesday.

Except somewhere between June and August 2025, a hacker group called “mydocs” was busy breaking into the booking systems of at least ten Italian hotels. They walked out — digitally speaking — with 90,600 high-resolution scans of passports and national ID cards. Guests from who knows how many countries, spanning who knows how many years of hotel records.

Then they put them up for sale on the dark web. Price: $1,000 to $10,000 per batch.

What happened

Italy’s Agency for Digital Italy (AgID) confirmed the breach. The hacker posted the stolen scans across multiple dark web forums between August 8 and 12, 2025, advertising them as high-resolution images suitable for identity verification bypass.

According to Malwarebytes, the documents included full passport data pages — names, photos, document numbers, dates of birth, MRZ zones, and signatures. Everything you’d need for a convincing identity theft.

The scariest part? It’s unclear how many years of scans the hotels had been storing. Your passport scan from a trip three years ago might still be sitting on a hotel server, waiting for someone to come grab it.

Why hotels are perfect targets

Think about it from a hacker’s perspective. Hotels are goldmines because:

1. They collect the most sensitive document most people carry — passports
2. They store copies for years — often with no clear retention policy
3. Their IT security is… hotel IT security — small teams, legacy systems, tight budgets
4. They process thousands of guests — huge volume of high-value documents
5. Guests never follow up — nobody calls the front desk to ask “hey, did you delete my passport scan?”

A single mid-sized hotel might have 50,000 passport scans on a server. Ten hotels? Half a million.

What can someone actually do with your passport scan?

More than you’d think:

• Open bank accounts in countries with lax verification
• Apply for loans or credit cards using your identity
• Pass KYC (Know Your Customer) checks on crypto exchanges, fintech platforms, and online services — especially with deepfake technology to match the photo
• Create forged physical documents using your scan as a template
• Social engineering — calling your bank pretending to be you, with all your details ready

According to NordVPN research, a scanned passport sells for $10–$200 on the dark web. Verified EU passports go for over $5,000.

What you can do about it

You can’t control hotel security. But you can control what you hand them.

Before you hand over your passport:

1. Ask if they need a copy or just need to see it. Many hotels only need to verify your identity — they don’t need to keep a copy. EU privacy regulations (GDPR) support you here.

2. If they insist on a copy, provide a redacted one. Black out your passport number and MRZ zone. Add a purpose watermark: “Copy for Hotel [Name] — [Date].” Share that version instead of letting them scan the original.

3. Ask about their retention policy. How long do they keep the copy? When do they delete it? Under GDPR, they must have a clear answer.

4. Follow up after checkout. Send a quick email asking them to confirm deletion of your document scan. It takes 30 seconds.

The bigger picture

The Italian hotel breach wasn’t an isolated incident. It was just the one that made the news. Hotels worldwide are sitting on millions of passport scans with varying levels of security and no consistent retention policies.

The fundamental problem is simple: we’ve normalized sending high-resolution copies of our most sensitive documents to people and organizations with no obligation to protect them.

The solution isn’t to stop traveling or refuse to show your passport. It’s to give them less. Redact what they don’t need. Watermark what you do share. And always, always ask: “do you really need to keep a copy?”

Your passport scan from that lovely hotel in Tuscany shouldn’t still be sitting on a server two years later. And it definitely shouldn’t be available for $10 on a forum you’ve never heard of.