More than 150 people who previously stayed in Marriott properties filed a class-action lawsuit against the hotel company, claiming it didn’t do enough to protect them from a massive data breach.
Data breaches seem to be happening a lot lately, and oftentimes class-action lawsuits follow soon after, such as the federal class-action lawsuit recently filed against Marriott. According to the suit, “more than 150 people who previously stayed in Marriott properties are suing the hotel chain…claiming that Marriott didn’t do enough to protect them from a data breach that exposed more than 300 million guests’ personal information, including names, credit card information, and passport numbers.”
The lawsuit was filed on January 9 in Maryland federal district court and argues that the hotel chain failed to “adequately protect guest information before the breach and, once the breach had been discovered, it failed to provide timely, accurate, and adequate notice to guests whose information may have been obtained by hackers.” News of the data hack was first disclosed on November 30, 2018. At that time, the company revealed that cyberattackers “had targeted its Starwood reservation system and accessed the personal information of up to 500 million guests who had stayed in certain properties since 2014.”
The suit claims the data hack had been going on since 2014 when Marriott purchased Starwood properties. The plaintiffs argue that, “in conducting due diligence to acquire Starwood, Marriott should have gone through and done an accounting of the cybersecurity of Starwood.” Amy Keller, the attorney representing the plaintiffs, said Marriott “should have caught — at the very least — that there was some suspicious activity concerning the database where a lot of consumer information was contained.”
Instead of finding the breach, it was allowed to continue for two more years after Marriott acquired Starwood properties until Marriott caught the breach in September 2018. However, even after the company found the breach, it “waited until November to tell guests about the breach,” according to the suit.
It’s estimated that the hack affected about 383 million records. Of those records, Marriott admitted that hackers were able to obtain the “unencrypted passport numbers of 5.25 million guests, as well as 20.3 million encrypted ones.” Additionally, an estimated “8.6 million encrypted credit and debit card numbers were exposed as well.”
It’s important to note that not all Marriott properties were affected by the hack. Only properties using Starwood’s reservation system were compromised. Starwood’s reservation system is a “centralized database that was used to book rooms for nearly 1,300 properties around the world, was difficult to secure and could have been vulnerable to hackers.”
This recent class-action suit isn’t the first one filed against Marriott. In fact, the company was hit with a different class-action suit back in December. That one was filed by Murphy, Falcon & Murphy. At the time, Hassan Murphy, a managing partner at the firm, said:
“Marriott is one of the largest hotel chains in the world. That such a corporation would fail to properly safeguard the highly personal and sensitive information of its guests and customers is inexplicable. Even more egregious is the fact that Marriott did not discover this breach for nearly four years, and then for months after that discovery failed to tell its customers what had occurred. This conduct constitutes a significant breach of trust and confidence unparalleled in the hospitality industry.”
Unfortunately, the hospitality industry is often targeted by hackers “because of lax security policies.” When commenting on the matter, Keller said, “This breach and other breaches should be signaling to companies that they need to do a better job of protecting customer data, and if they have holes in their security, they really need to take basic steps to keep it secure.”