Intercontinental Hotels Class Action Filed Over Data Breach

Top Class Actions’s website and social media posts use affiliate links. If you make a purchase using such links, we may receive a commission, but it will not result in any additional charges to you. Please review our Affiliate Link Disclosure for more information.

A Mississippi man says an Intercontinental Hotels data breach exposed thousands of customers’ sensitive card information to data theft.

Plaintiff David Orr claims that by failing to follow basic industry standards for data security, defendant Intercontinental Hotels allowed its customers’ credit and debit card information to be compromised at more than 1,000 hotel locations in the fall of 2016.

Orr says he got notice of the Intercontinental Hotels data breach in a letter dated April 14, 2017. According to that letter, Intercontinental Hotels had discovered evidence that its payment processing systems had been afflicted with malware designed to target credit and debit card information.

The malware was apparently in operation between September and December 2016, according to the letter, and it affected over 1,000 locations. It was designed to collect card numbers, expiration dates and verification codes, as well as cardholder names.

Several other hotel chains have announced similar data breaches in recent years, Orr claims, putting Intercontinental Hotels on notice that its payment systems were a prime target for hackers. Still, he says, Intercontinental Hotels failed to implement adequate protections for its customers’ payment information.

According to Orr’s Intercontinental Hotels class action lawsuit, the data security at the defendants’ hotels failed to live up to the data security standards promulgated by the Payment Card Industry Security Standards Council.

These standards require entities that handle card data to implement strong measures for access control, ensure compliance with data security policies, and regularly monitor and test their networks. Had Intercontinental Hotels complied with these standards, Orr claims, the data breach at issue could have been avoided.

“The Security Breach was caused and enabled by [Intercontinental Hotels Group’s] knowing violation of its obligations to abide by best practices and industry standards concerning the security of payment systems,” Orr claims.

“[Intercontinental Hotels Group] failed to comply with security standards and allowed its customers’ financial information to be compromised by cutting corners on security measures that could have prevented or mitigated the Security Breach that occurred.”

Orr says his own debit card information was exposed in the Intercontinental Hotels data breach. He used that card to pay for a stay at an Intercontinental Hotels-run Holiday Inn in Biloxi, Miss. in October 2016, while the malware was active. Orr says he had to cancel his debit card and wait for a replacement card, and he had to spend time auditing his bank statements for fraudulent activity.

Orr seeks to represent a plaintiff Class consisting of all persons who used their credit or debit cards at an Intercontinental Hotels hotel between Sept. 29 and Dec 29, 2016, including all persons who received the data breach notification letter from Intercontinental Hotels.

He seeks an award of actual and punitive damages, attorneys’ fees, and costs of litigation, all with pre- and post-judgment interest.

Orr is represented by attorneys David J. Worley and James M. Evangelista of Evangelista Worley LLC, Ben Barnow, Erich P. Schork and Anthony L. Parkhill of Barnow and Associates PC, and Brian K. Herrington of Herrington Law PA.

The Intercontinental Hotels Data Breach Class Action Lawsuit is David Orr v. Intercontinental Hotels Group PLC, et al., Case No. 1:17-cv-01622, in the U.S. District Court for the Northern District of Georgia.

UPDATE: June 2020, the InterContinental data breach class action settlement is now open. Click here to file a claim.