Current Cases

In re Marriott International Inc. Customer Data Security Breach Litigation

Status Current Case

Court U.S. District Court, Eastern District of Virginia

Case number 1:15-md-02627

Overview

On May 3, 2022, Judge Paul W. Grimm of the United States District Court for the District of Maryland granted certification to eight classes in In re: Marriott International Inc. Customer Data Security Breach Litigation, MDL No. 2879. The ruling certifies potentially millions of class members spanning six states that were included in an initial 10 bellwether cases and an estimated 47.7 million exposed customer records associated with the bellwether states, the judge said.

On November 29, 2023, the Court recertified the class after Marriott had successfully appealed the class certification. The U.S. Court of Appeals for the Fourth Circuit found that the district court had not properly considered the “effect” on class certification of a “choice of law and venue” clause in a Starwood guest rewards contract that the members of the damages class had signed and remanded the dispute to the lower court for further consideration of this issue.

In its recertification order, the lower court concluded that Marriott had “waived any benefit from its Choice of Law and Venue provision” through both its “inaction and action” during the course of the case and that, even if the provision weren’t waived, the contest agreement was “ineffective to override the court’s discretion” to certify a class or consolidate proceedings in order to promote judicial efficiency.

The class action addresses one of the largest data breaches in U.S. history. By the hotel chain’s own acknowledgement in November 2018, the breach compromised the personal information of nearly 400 million customers who made reservations at Starwood-branded hotels, which Marriott acquired in 2016.

On April 29, 2019, the Court appointed Cohen Milstein’s Andrew N. Friedman Consumer Plaintiffs’ Co-Lead Counsel to oversee the litigation.

Case Background

On January 9, 2019, Cohen Milstein and co-counsel filed a putative nationwide data breach class action with the U.S. District Court, District of Maryland against Marriott International, Inc. (NASDAQ: MAR) following a massive, long-running data breach at the company, on behalf of behalf of 176 Plaintiffs from all fifty states, the District of Columbia, Puerto Rico, and the Virgin Islands.

This landmark court filing comes on the heels of Marriott’s recent admission that approximately 5.25 million unencrypted passport numbers and 20.3 million encrypted passport numbers were among the sensitive customer records accessed by hackers.

Plaintiffs allege that Starwood, and later Marriott, took more than four years to discover the breach and then failed to notify its customers in a timely manner. Marriott became the world’s largest hotel chain when it acquired Starwood.

Beginning in 2014 and possibly earlier, and continuing through November 2018, hackers exploited vulnerabilities in Starwood’s network to access the guest reservation system and steal customer data. Marriott discovered the breach on September 8, 2018 but failed to publicly disclose it until nearly three months later, on November 30, 2018, when it admitted that there had been unauthorized access to the Starwood guest reservation database. This database contained personal customer information, including names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest (SPG) account information, date of birth, gender, arrival and departure information, reservation dates, and communication preferences. For some customers, the information also included payment card numbers and payment card expiration dates.

Case Documents

Related Professionals

Related Media

October 9, 2024

Marriott Inks $52M Deal with States Over Guest Data Breach

Marriott International Inc. has agreed to pay $52 million to nearly every U.S. state and bolster its data security practices to resolve parallel investigations by state attorneys general and the Federal Trade Commission over a massive data breach at the hotel’s Starwood-branded properties. A coalition of attorneys general from the District of Columbia and every […]

In the News | Law360

December 1, 2023

Marriott Can’t Use Class Waiver To Block Cert. In Breach Row

A Maryland federal judge has reinstated certification for several classes of consumers suing Marriott and its information technology provider over a massive data breach at the hotel’s Starwood-branded properties, finding that Marriott’s response to the litigation has been “wholly inconsistent” with its argument that guests had agreed to pursue their claims individually. U.S. District Judge […]

In the News | Law360

April 6, 2023

Consumers Reject Marriott’s Challenge To Discovery Order

A class of consumers suing Marriott International Inc. in wide-ranging multidistrict litigation over a major data breach says it needs information on how the hotel company calculated the value of the consumers’ personally identifiable information, asking a Maryland federal judge to sign off on a special master’s report ordering discovery into the valuation. The consumers’ […]

In the News | Law360

May 5, 2022

Federal Judge Rules Massive Marriott Data Breach Class Action May Proceed

Claims about company’s lax data security, which led to breach that impacted over 133 million guest records, moving forward on behalf of nearly 45 million consumers as a certified class GREENBELT, Md.– A federal judge in Maryland has granted class certification in a data breach impacting over 133 million American consumers against hotel chain […]

Press Releases

May 5, 2022

Federal Judge Rules Marriott Data Breach Class Action May Proceed

Consumers might be able to recover damages for the inherent value of their personal information stolen during the breach based upon Marriott’s own valuation of that same data. A federal judge in Maryland has granted class certification in a data breach impacting over 133 million American consumers against hotel chain Marriott and its data security […]

In the News | Hospitality Technology

May 4, 2022

Marriott Guests Get Partial Class Certification in Breach Suit

Some Marriott International Inc. guests were granted class status by a Maryland federal judge in litigation over a major data breach that compromised the personal information of 133.7 million guests at its Starwood-branded hotels, while others classes were denied certification. Plaintiffs filed a would-be class action alleging that Marriott took more than four years to […]

In the News | Bloomberg Law

May 4, 2022

8 Classes of Marriott Guests Certified in Data Breach MDL

A Maryland federal judge certified eight classes of Marriott International Inc. guests in multidistrict litigation over a major data breach that compromised the personal information of more than 100 million guests at its Starwood-branded hotels, although some other classes were denied certification. U.S. District Judge Paul W. Grimm granted certification on Tuesday to eight of 13 potential guest […]

In the News | Law360

March 31, 2020

Marriott Reveals New Data Breach Impacting 5.2M Guests

Marriott International Inc. said Tuesday that roughly 5.2 million guests’ loyalty information and other personal details had been exposed in a data breach earlier this year, a disclosure that class counsel pressing multidistrict litigation over a separate major hack of the hotel giant said highlights the company’s ongoing data security failings. In a notice posted […]

In the News | Law360

May 31, 2019

Andrew Friedman Discusses the Marriott Data Breach Lawsuit: Data Breach Debacles

Andrew Friedman, co-chair of Cohen Milstein’s Consumer Protection practice and co-lead counsel in the Marriott data breach class-action suit, joins Aaron Freiwald, host of the weekly podcast Good Law | Bad Law, to discuss the Marriott case as well as other massive data breaches and the growing security concerns surrounding our personal information. In today’s […]

Multimedia | Good Law ǀ Bad Law Podcast

January 10, 2019

Data Breach Class Action Powerhouses Team Up to File First, Fifty-State Lawsuit Against Marriott in Wake of Disastrous Data Breach

National class action law firms DiCello Levitt; Hausfeld; Cohen Milstein Sellers & Toll; Cohen & Gresser; and Kramon & Graham have teamed up to file the nation’s largest class action complaint against Marriott (NASDAQ: MAR) following a massive, long-running data breach at the company. With 176 Plaintiffs from all fifty states, the District of Columbia, […]

In the News | Associated Press

January 10, 2019

Data Breach Lawsuit Filed Against Marriott in Md. Federal Court

A group of class-action law firms Thursday filed the largest-to-date lawsuit over Marriott International Inc.’s recent admission that millions of customers’ private data was accessed by hackers. The complaint, filed in U.S. District Court in Greenbelt, includes 176 plaintiffs from all 50 states, Washington, D.C., Puerto Rico and the U.S. Virgin Islands, according to a […]

In the News | The Daily Record

December 3, 2018

With Plenty of Plaintiffs, Lawyers Flood the Courts Over Marriott’s Massive Breach

Cohen Milstein Among First Firms to File Action in Response to the Marriott Data Breach. Lawyers have moved to coordinate suits into multidistrict litigation and questioned an arbitration clause in Marriott’s free internet monitoring program offered to its customers. Lawyers rushed to bring about a dozen class actions over Marriott’s data breach—and with about 500 […]

In the News | The National Law Journal