The complaint for this class action alleges that Marriott International, Inc. failed to use industry-standard security measures and failed to encrypt sensitive personal information. It also claims that Marriott failed to notice the data breach for as long as four years.
The class for this action is all individuals whose personally identifiable information or payment information was in the Reservation Database at any time between January 1, 2014 and September 10, 2018.
On November 30, 2018, Marriott announced that it had experienced a data breach that could affect as many as 500 million customers. It admitted that it had failed to safeguard personally identifying information (PII) such as mailing addresses, phone numbers, passport numbers, and account information, as well as payment card data (PCD).
Perhaps the most jaw-dropping news is that the hackers had access to information over four years. The complaint quotes a privacy expert as saying, “It’s astonishing how long it took [Marriott] to discover they were breached. … They can say all they want that they take security seriously, but they don’t if you can be hacked over a four-year period without noticing.”
Marriott operates more than 6,700 properties, including Starwood Hotels & Resorts Worldwide, LLC, which figures prominently in this case. Starwood, like most similar companies, requires guests to provide substantial PII, and the complaint says it does not destroy this information but keeps it in its database.
The complaint quotes investigators as saying that “multiple hacking groups may have simultaneously been inside Starwood’s computer networks since 2014.” Although Starwood noticed a malware intrusion in 2015, the complaint claims that the company did not sufficiently investigate. A “more thorough investigation into the 2015 investigation could have uncovered the [current] attackers, who instead were able to lurk in [Marriott’s] reservation system for three more years.”
The complaint alleges that independent cybersecurity experts warned that the systems were vulnerable during the period. Also, other hotels and resorts were hacked during the same period, which the complaint says should have provided a warning to Marriott.
Marriott’s Global Privacy Statements says the company will keep personal information safe and limit its disclosure, but the complaint claims those statements were false.
The complaint further claims that Marriott delayed too long before sending notice of the breach to its customers and that it the form of notice it sent was misleading. Also, it says, the remedies Marriott has offered to its affected customers are inadequate. Its claims against Marriott include negligence and breaches of contract.