More than 150 people who previously stayed in Marriott properties are suing the hotel chain in a federal class-action lawsuit, claiming that Marriott didn’t do enough to protect them from a data breach that exposed more than 300 million guests’ personal information, including names, credit card information, and passport numbers.
The suit, which was filed Maryland federal district court on January 9, claims that Marriott did not adequately protect guest information before the breach and, once the breach had been discovered, “failed to provide timely, accurate, and adequate notice” to guests whose information may have been obtained by hackers.
Marriott first disclosed that it had been hacked on November 30, saying that cyberattackers had targeted its Starwood reservation system and accessed the personal information of up to 500 million guests who had stayed in certain properties since 2014.
The company reportedly began investigating the breach in September, and in December announced that the hack had affected roughly 383 million records, not the 500 million that had previously been estimated — but that hackers had obtained the unencrypted passport numbers of 5.25 million guests, as well as 20.3 million encrypted ones. Approximately 8.6 million encrypted credit and debit card numbers were exposed as well. Notably, the New York Times reported that the hack may have been part of an intelligence-gathering effort by the Chinese government.
Not all Marriott properties were affected. Hackers were able to access the reservation system for the company’s Starwood portfolio, which Marriott purchased in 2016 and which includes the W Hotels, the St. Regis, Sheraton Hotels, Westin Hotels, and more. The Starwood merger made Marriott the world’s largest hotel chain.
According to the suit, Marriott’s purchase of the Starwood properties is part of the problem. “This breach had been going on since 2014. In conducting due diligence to acquire Starwood, Marriott should have gone through and done an accounting of the cybersecurity of Starwood,” Amy Keller, an attorney at DiCello Levitt & Casey who is representing the Marriott guests, told Vox. “In so doing, it should have caught — at the very least — that there was some suspicious activity concerning the database where a lot of consumer information was contained.”
Instead, Keller said, the breach continued for an additional two years after the acquisition, until Marriott caught it in September 2018. And even then, the suit claims, the company waited until November to tell guests about the breach.
According to a December report by the Wall Street Journal, Marriott could have caught the breach years earlier. Some employees said that Starwood’s reservation system, a centralized database that was used to book rooms for nearly 1,300 properties around the world, was difficult to secure and could have been vulnerable to hackers. In fact, Starwood was the target of a different hack in 2015. In that instance, the hackers were able to access the system for eight months before being detected. That hack should have been an opportunity for Marriott to catch the bigger breach, experts say.
This isn’t the first lawsuit to be brought against Marriott in response to the leak. A different class action suit was filed in December. “Marriott is one of the largest hotel chains in the world. That such a corporation would fail to properly safeguard the highly personal and sensitive information of its guests and customers is inexplicable,” Hassan Murphy, a managing partner at Murphy, Falcon & Murphy, one of the firms that brought a suit against Marriott, said in a statement at the time. “Even more egregious is the fact that Marriott did not discover this breach for nearly four years, and then for months after that discovery failed to tell its customers what had occurred. This conduct constitutes a significant breach of trust and confidence unparalleled in the hospitality industry.”
But cybersecurity experts say that the hospitality industry is often targeted by hackers precisely because of lax security policies. “The hospitality industry has never been at the forefront of security,” Vincent Liu, a partner at the security consulting firm Bishop Fox, told the Wall Street Journal in December.
“This breach and other breaches should be signaling to companies that they need to do a better job of protecting customer data, and if they have holes in their security, they really need to take basic steps to keep it secure,” said Keller, referring to the latest hack.
Marriott declined to comment on the litigation.