Marriott International Inc. said Tuesday that roughly 5.2 million guests' loyalty information and other personal details had been exposed in a data breach earlier this year, a disclosure that class counsel pressing multidistrict litigation over a separate major hack of the hotel giant said highlights the company's ongoing data security failings.
In a notice posted to its website, Marriott said that it discovered at the end of February that "an unexpected amount of guest information" may have been accessed using the login credentials of two employees at a franchise property. The hotel chain said the intrusion likely dated back to mid-January, when a hacker is believed to have used the stolen credentials to access an application that hotels operated and franchised under Marriott's brands use to help provide services to their guests.
. . .
Tuesday's disclosure comes less than 18 months after Marriott in November 2018 revealed a separate data breach impacting up to 383 million guests at its newly acquired Starwood properties. That incident exposed a wide range of personal data, including nearly 24 million passport numbers and more than 9 million credit and debit cards.
The plaintiffs' attorneys spearheading the sprawling MDL that was assembled in the wake of the 2018 breach told Law360 on Tuesday that they "believe that this is all related to the ongoing multidistrict litigation, in which we allege that Starwood — now Marriott — had and continues to have inadequate security measures in place to protect consumer information."
"Although we had hoped that the company would take cybersecurity more seriously after its last major breach, we certainly will continue to push for cybersecurity reforms through injunctive relief as well as restitution for consumers who were and continue to be impacted," co-lead counsel for the consolidated consumer class — Amy Keller of DiCello Levitt Gutzler LLC, Andrew Friedman of Cohen Milstein Sellers & Toll PLLC and James Pizzirusso of Hausfeld LLP — said in an emailed statement.
Marriott lost its bid to toss the MDL in February, when a Maryland federal judge ruled that the guests pressing the suit had adequately claimed injuries traceable to the company's failure to detect the historic hack or stop the theft of their personal information.
. . .
The complete article can be accessed here.