Hopefully they've checked out the systems and it won't happen again

This is a huge risk - it's the possession of these documents at least as much as the contents that makes them useful for confirming identity. Making a copy dilutes the concept of possession and accepting a copy negates it completely.

It's a problem that seems to get worse the further south in Europe you go (here in Portugal your passport/identity card will be photocopied when you sign up for a power contract, or broadband or even for membership of a local society) and there must be hundreds of copies of my passport in various poorly-secured paper files and e-mail inboxes around the country. No-one ever checks the validity of the document: its only function is to be copied and recorded because that's how it's always been done.

But it's growing elsewhere. If you employ someone or rent them a house in the UK you need to verify that person has a right to live and/or work in the UK But you also have to be able to prove subsequently that you have done so - unless you want to risk prosecution, so you take a copy of all the various documents and keep them, perhaps long after that person has moved on.

If identity checks are going to proliferate (and the corollary of widespread facial recognition is that everyone is going to need to carry id which will lead to everyone demanding it...) there has to be a means of doing this that verifies that the check has taken place but does not require the retention of the documents concerned.

Ideally, we'd be less concerned about security theatre and more concerned about security itself, but as the number of children of whom we have to think diminishes annually, the amount of thought they are due appears to increase.

Typical Italian idiocy. I'm Italian and I can say it out loud, it's idiotic. In Italy a copy of an ID document (even a poor one, a 75 dpi black and white fax) is needed for almost EVERYTHING, and it's also considered a sufficient proof of identity for almost anything. You can imagine the results of this idiotic idea.

This was wrong but it was excusable 50 years ago, but not today. Not anymore. But still everything works like this. The "fotocopia del documento" is a nightmare that still plagues us Italians, and indeed it has potential for every kind of abuse. More so today because today we don't have piles of paper copies, but troves of scanned files that can be easily abused.

In the beginning of the 2000s we had a problem with SIM card activations; cellular shops had thousands of copies of IDs of customers, and they used them multiple times to register sim cards to previous customers and then sell these cards to criminals, drug dealers, etc. Innocent people got called in for questioning by the police because of this, multiple times, until it was discovered that this was such a common issue that it was clear that there was something wrong going on. Did this lead to some new ways of verifying identities? NO, of course. We still have the fucking "fotocopia del documento".

The idea was to replace document copies with the SPID system - but it was managed by a bunch of approved private companies - and besides goverments site, it was never used by private entities, as it was hoped, because it would cost them - a copy/scan of your documents costs nothing to the entity requesting it. Well, in other states you may have to submit copies of your driving license, bank accounts... same issues.

Now the hope is the Digital ID card and the e-wallet to store documents could replace it - but as long as people prefer copies, and don't want to mess with chip/NFC readers, and the supporting software, there's little to do.

Unless, like in "The Circle" - Facebook becomes the indenity provider. I would not exist, then...

The problem with any centralised ID solution, be it government controlled or outsourced to a tech giant on behalf of the government is that I simply don't trust anyone with my personal info.

Surely there must be a blockchain-based, self-custody solution to this problem?

If someone needs to verify my ID then only I should have the power to authorise this request. No handing over documents or files to third parties who might lose or leak them to miscreants. Likewise, no central government database which, once hacked, can reveal the personal information of the nation.

Is this really beyond the wit of man or is it by design that such a system will never be implemented?

I'd be genuinely interested to hear the views of those more qualified than myself on this topic.

No need to steal someones passport when you can simply hack a Booking system and gain tens of 1000's with supporting addresses etc.

Too late now but real security raises its ugly head.

Such systems need to be ultra secure and that means spending money on making it so !!!

It will be informative to see what is done to remedy this weakness in future .... other than changing the password !!!

:)

"Such systems need to be ultra secure and that means spending money on making it so !!!"

What exactly is ultra secure ?

There is no hack proof system. This hotel booking thing is obviously networked and likely accessed by end hotel workers, travel agencies, travel search engines and perhaps guests themselves, all of them using different API/user interfaces.

We do not know the state of security in this hotel booking system. It could have been lax or following good security practices. You jumped to a conclusion without any evidence.

Either way, insiders with proper credentials can still have access to the data and export it. Remains to be seen if the criminals' point of entry is ever found out.

Those data are protected by GDPR - so the hotels that were p0wned risk also a huge fine for not protecting them correctly. As I wrote in another post, there is a century-old law in Italy requiring hotels to identify customers and send their document data to the Police within 24 hours. There is no reason to store copies of the documents in a system accessible to everyone.

Then it is true too many entities ask for those kind of documents. Even my company has a copy of my passport - because of business travels management. And the SAP Concur system they rely upon. Airlines will require it. Hotel require it. Even renting a car require document copies... it's easier than reading the data and entering them into a form - without unneeded data.

It's a rule dating back to fascist era, but never actually removed (the whole Italian criminal law is still the same from 1930, with changes made after the second world war, but never actually fully repealed and rewritten from scratch - some rules are too adavantageous for some lobbies to risk to have them changed - especially when it comes to white-collar crimes).

The issue is hotels routinely makes copies of the documents to submit the data, and don't destroy them, nor evidently they keep them secure. Often those copies are used for tax evasion schemes as well. The visitors are registed in ways to keep low the days they stay, delaying the moment they are registered.

Lesson learned: Get yourself a fake passport for registering into (Italian) hotels.

They will lose it eventually, sooner or later.