On Friday morning, the Marriott hotel chain disclosed that its Starwood reservation system had experienced one of the largest data breaches of all time. By Friday afternoon, a class action lawsuit was already filed in a U.S. District Court.
Law firm Morgan & Morgan has asked a court in Maryland to grant a class action trial by jury accusing Marriott International Inc of negligence, breach of confidence, and deceptive and unfair trade practices. In a statement to Gizmodo, John Yanchunis, an attorney for the firm, told us:
Large, sophisticated companies like Marriott are not blind to the risks posed by cyber criminals, who are constantly attempting to infiltrate corporations that store sensitive consumer information. The fact that a breach that began in 2014 went undetected for four years is shocking and horrifying.
When guests stay at hotels, they trust the hotel will provide adequate security – both physical and the protection of their private information. It appears that the trust 500 million people placed in Marriott/Starwood was violated – for nearly half a decade.
The hotel giant claims it’s still reviewing the extent of the breach to its system, but in a filing with the SEC it estimated that it exposed the personal information of around 500 million guests. That would make it the second biggest data breach of all time, just behind Yahoo’s devastating hack of 3 billion users. In Yahoo’s case, it took years to fully come clean about the extent of the breach.
So far, Marriott has said it believes the Starwood system was first infiltrated in 2014, and it first detected an intrusion in September of this year. It claims that guest records that were stolen included: “some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival, and departure information, reservation date, and communication preferences.” It also said it’s looking into whether the hackers were able to get their hands on the security keys to decrypt the guests’ credit card numbers that were stolen.
An FTC investigation of Marriott seems likely and the hotel said it’s working with law enforcement to track down the perpetrators. We’ll surely see more civil legal action come up as guests are notified and more information becomes available. Some victims of Equifax’s 2017 data breach even had some luck suing in small claims court.
You can read the full complaint below: