Marriott's data breach affected nearly 400 million people in both the United States and abroad. Pierce Bainbridge joined the battle against Marriott today, filing suit on behalf of victims in the US and worldwide. The suit seeks to hold Marriott International, Inc. and its President and Chief Executive Officer, Arne Sorenson, responsible not only for the breach itself, but for failing to notify unsuspecting travelers of the flaws in the Starwood reservation system that made it a ready target for hackers, and for, then, making matters worse by failing to inform the public until years later. The suit alleges that Marriott exposed the personal and sensitive information of hundreds of millions of travelers by failing to take reasonable steps to secure it. The suit seeks damages and injunctive relief to make sure that on behalf of various plaintiffs and in connection with one of the largest data breaches in history, Marriott changes its practices.
In November 2018, Marriott announced that its wholly owned subsidiary, Starwood Hotels & Resorts Worldwide, failed to secure the personal information — including passport numbers and payment information — of an estimated 383 million travelers worldwide. Marriott claims that it did not discover the breach — which first occurred in 2014 — for four years, giving hackers plenty of time to pilfer and sell the sensitive and personal information of hundreds of millions of hotel guests.
The value of this personal information —including names, email addresses, recovery email accounts, telephone numbers, payment card information, and passport information — on the black market is well known. Identity thieves use the information to gain access to different areas of the victim's digital life, including bank accounts, social media accounts, and credit card accounts. They also use the stolen information to harm victims through embarrassment, blackmail or harassment, in person or online, to commit other types of fraud, including obtaining ID cards or driver's licenses, fraudulently obtaining tax refunds and other government benefits.
Despite heightened public awareness of the danger of identity theft, Marriott allegedly failed to institute adequate cyber-security procedures. Marriott's storage of over 5 million unencrypted passport numbers was "extremely reckless and unsafe" according to the class action complaint. And even the encryption method it used for other data was woefully inadequate, as Marriott admitted the components needed to decrypt the payment card numbers may have been taken as well.
Marriott operates more than 6,700 properties in 130 countries. Any guest who made reservations or stayed at one of the Starwood brand hotels from 2014-2018 may be a victim of the data breach. The Starwood brands include: W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels. Starwood branded timeshare properties (Sheraton Vacation Club, Westin Vacation Club, The Luxury Collection Residence Club, St. Regis Residence Club, and Vistana) are also included.
Logos, product and company names mentioned are the property of their respective owners.