Marriott sued for $12.5bn in data breach case

A class-action lawsuit seeking $12.5 billion, or $25 for each customer whose privacy may have been jeopardized, has been filed against Marriott after the hotel chain revealed a data breach affecting 500 million customers of its Starwood hotels, according to a Dec. 1, 2018 report by The Oregonian.

The lawsuit’s class representatives are a Portland businessman who frequently travels, and a Salem attorney who believes the breach could be responsible for suspicious activity he noticed on his credit card in the past year, according to the report.

On Nov. 30, 2018, Marriott disclosed a data security incident involving the Starwood guest reservation database which contains information on up to approximately 500 million guests who made a reservation at a Starwood property. For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences, the hotel group said. For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption, Marriott explained. For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address, or other information, the hotel group noted.

An additional national class action lawsuit against Marriott International has been filed by Baltimore law firm Murphy, Falcon & Murphy. The law firm noted that the incident is the largest data breach to ever occur. Cybercriminals broke into Marriott's servers in 2014, obtaining the personal information of approximately 500 million Marriott customers. These nefarious actors then roamed freely throughout Marriott's system, with unfettered and undetected access, for four years. Marriott did not discover the breach until September 8, 2018. For some inexplicable reason, Marriott refused to notify its consumers until today—nearly three months after its discovery—and still has not provided customers with complete information regarding the extent of the breach. In fact, Marriott does not actually know the origin or identity of the hackers and has not fully assessed the scope of the attack.

The lawsuit alleges that Marriott failed to ensure the integrity of its servers and to properly safeguard consumers' highly sensitive and confidential information. Marriott knew that that it had an obligation to protect the personal and financial data of its guests and customers, and it was also aware of the significant repercussions to its customers if it failed to do so. It knew that this data, if hacked, would result in extensive injury to millions of Marriott guests. Despite this knowledge, Marriott failed to take appropriate measures to protect and secure its customers' personal information. Its conduct violates consumer protection statutes, constitutes a breach of confidence, and was reckless and grossly negligent.

Hassan Murphy, Managing Partner at Murphy, Falcon & Murphy, said today, "Marriott is one of the largest hotel chains in the world. That such a corporation would fail to properly safeguard the highly personal and sensitive information of its guests and customers is inexplicable. Even more egregious is the fact that Marriott did not discover this breach for nearly four years, and then for months after that discovery failed to tell its customers what had occurred. This conduct constitutes a significant breach of trust and confidence unparalleled in the hospitality industry."

Murphy added: "Marriott's conduct has compromised every aspect of its customers' personal identities, exposing them to identity theft, fraud, and harm for years to come. We will continue working until Marriott fixes this problem and appropriately compensates its victims for their losses."

Hassan Murphy is currently a member of the Plaintiffs' Steering Committee in In Re: Equifax, which is responsible for prosecuting the nationwide consumer data breach litigation against Equifax.

Get all the latest re/insurance industry news with our daily newsletter -  sign up here.

More of today's news

Bermuda insurers increase cat resilience

California Woolsey fire insured losses exceed $2.5bn: AIR

US insurers retain coal support

New digital Allianz Europe unit to serve as beacon, says CEO

Gallagher expands in Indonesia, Singapore with IBS stakes

ArgoGlobal appoints international chief actuary from Aspen

Sava Re upgraded to ‘A’ by AM Best

Don't miss our insurtech email newsletter - sign up today