A massive class-action suit has been filed against Marriott International on behalf of 500 million guests whose information was compromised in a security breach.
Honolulu’s Star Advertiser reports that Murphy, Falcon & Murphy, along with co-counsel Morgan & Morgan, filed the suit Friday, alleging that Marriott failed to “ensure the integrity of its servers and to properly safeguard consumers’ highly sensitive and confidential information.”
The breach, writers the Advertiser, exposed credit card numbers, addresses, birthdates and passport information.
Marriott didn’t discover the hack until September 4th, 2018, nearly four years after its servers were first attacked.
“We fell short of what our guests deserve and what we expect of ourselves,” CEO Arne Sorenson said in a statement. “We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
The company said on Friday that the hack affected reservation databases for its Starwood properties. Brands falling under the label include W Hotels, St. Regis, Sheraton, Westin, Element, Aloft, The Luxury Collection, Le Meridien and Four Points.
The Advertiser adds that timeshare properties were also affected by the breach.
According to the Wall Street Journal, some cybersecurity firms allege that Marriott had ample opportunity to protect its customers. They cite a 2015 cyber-attack on Starwood, which installed ‘malware on point-of-sale systems in some hotel restaurants and gift shops to siphon off payment-card information.’
While that breach was far smaller in scale than Marriott’s, security specialists say a more thorough investigation could have revealed the second intruder.
“With all the resources they have, they should have been able to isolate hackers back in 2015,” said Andre Barysevich, a researcher with security company Recorded Future Inc.
Writing in a Sunday e-mail to the Wall Street Journal, a Marriott spokeswoman expressed regret for not plugging the breach earlier.
“Obviously, all involved would have preferred that this incident had been identified earlier,” she wrote. “When there is a concern that payment cards are at risk, forensic investigations start looking at devices that process payment cards and follow the evidence from there.”
She declined to offer any comment on the 2015 hack, adding that it happened before Marriott acquired Starwood the following year. At the time, Starwood didn’t think the hack had any further consequences.
Hassan Murphy, managing partner at Murphy, Falcon & Murphy, questioned how a company with Marriott’s resources couldn’t protect its customers from nearly four years of data theft.
“Marriott is one of the largest hotel chains in the world,” Murphy said. “That such a corporation would fail to properly safeguard the highly personal and sensitive information of its guests and customers is inexplicable.”
“Marriott’s conduct has compromised every aspect of its customers’ personal identities, exposing them to identity theft, fraud, and harm for years to come,” he said. “We will continue working until Marriott fixes this problem and appropriately compensates its victims for their losses.”