Marriott is once again making headlines. This time, the company is facing another lawsuit after yet another data breach.
You’d think that the first two incidences would be enough of a wake up call to patch up security. It turns out, that may not be the case – at least enough to stop a third incident from happening.
For context, back in November of 2018, Marriott suffered from a major data breach. In all, 500 million customers had been compromised. In response, multiple class action lawsuits were filed against the chain in the US. By May of 2019, an additional class action lawsuit was filed against the company in Canada. In July of 2019, the UK’s Information Commission Office fined Marriott £99 million.
In June of 2019, Marriott’s management company suffered from a data leak. In all, 85.4GB of data was left exposed. The incident wound up looking like the company stubbed its toe a second time with all of this security related coverage. Of course, the hope is that the company finally learned its lesson in better protecting its data and that this sort of thing is behind them.
As it turns out, those hopes were dashed.
Late last month, the company suffered from yet another data breach. In all, 5.2 million guests were compromised. From CNBC:
Marriott reports that at the end of February it found that an “unexpected amount” of guest information may have been accessed starting in mid-January. The data was accessed using the logins of two employees at a franchise property and included the following guest information:
- Names
- Personal details, such as gender and age
- Addresses
- Email addresses
- Phone numbers
- Loyalty account information for Marriott’s Bonvoy rewards program, including account numbers and points balances, but not passwords
- Employer information
- Information on affiliations, such as linked airline loyalty programs and numbers
- Room and hotel preferences
The hotel chain stressed that while the investigation is ongoing, it had no reason to believe account passwords for Marriott’s Bonvoy rewards program or financial information such as credit card numbers, passport information or driver’s licenses were accessed, Marriott said in a notice of the breach.
Now, we are learning that the company is facing at least one class action lawsuit in response to the breach. The suit was filed in a Maryland District Court. From Law Street Media:
Frequent Marriott guest Pati Springmeyer has filed a class action complaint against hotel chain Marriott International, Inc. arising from a data breach disclosed late in March.
She accused Marriott of negligence, negligence per se, breach of contract, breach of implied contract, breach of confidence, as well as deceptive and unfair trade practices in relation to the data breach. The suit is filed in the Maryland District Court. Plaintiff is represented by Murphy Falcon and Murphy.
In order to reserve and book a room at a Marriott hotel, “Marriott’s guests create, maintain, and update profiles containing significant amounts of personal identifiable information (‘PII’), including their names, birthdates, addresses, locations, email addresses, and payment card information.” On March 31, Marriott announced that two of its employees’ login credentials were compromised and “‘an unexpected amount of guest information’ had been improperly accessed as early as mid-January 2020.” The compromised information includes “Contact Details,” “Loyalty Account Information,” “Additional Personal Details,” “Partnerships and Affiliations,” and “Preferences.” The plaintiff alleges that this data breach was caused by Marriott’s “failure to implement adequate and reasonable cyber-security procedures and protocols necessary to protect” guests’ personal information from unauthorized intrusions.
Springmeyer stayed at various Marriott hotels in the past decade and has allowed the company to keep her personal information, as required to book at the hotel. She was notified that her personal information was “compromised and ‘accessed without authorization.’” She has spent time monitoring her accounts to prevent identity theft and other misuses of her information. According to the complaint, Springmeyer and other class members could face, for example, identity theft and false purchases made in their name.
Here’s the thing with all of this: this is a company with resources. It’s not like they can’t afford top of the line security for information on its guests. So, for the first security incident, OK, that sucks. The second security incident? Alright, lessons can be learned here. As for the third incident? I’m left asking “what is going on with Marriott anyway?” If Marriott keeps this up, their security track record is going to be worse than Facebook before too long. Seriously, how much worse can the security image of Marriott is going to get?
Drew Wilson on Twitter: @icecube85 and Facebook.
