Marriott Data Breach Class Action Lawsuits Allowed To Proceed

A federal judge found that Marriott must face a multidistrict litigation filed by consumers who claim that the hotel chain should have done more to protect them from one of the biggest data breaches in history.

Court documents note that, from July 2014 to September 2018, hackers had access to a guest information database of Starwood Hotels, a company purchased by Marriott in November 2018.

Hackers reportedly stole names, mailing addresses, dates of birth, gender, payment card numbers and the tools that are needed to decrypt the cardholders data. In addition, passport information was allegedly taken.

Marriott has agreed to pay for passport replacements for customers who were targets of the data breach. Marriott has stated that the passport information was only taken from a “smaller subset of consumers” but experts think that the passport numbers that were compromised could lead to identity theft.

“In total, Marriott allegedly disclosed that the breach impacted at least 383 million guest records, including nearly 24 million passport numbers and more than 9 million credit and debit cards,” the judge’s opinion notes.

Marriott discovered the breach on Sept. 8, 2018 but waited more than two months to notify the guests that their data had been hacked, according to the judge’s opinion.

Marriott announced the massive data breach in December 2018 stating that nearly 500 million customers had their personal information stolen.

Numerous class action lawsuits followed and a judge consolidated 11 of them into one multidistrict litigation in February 2019. Lawsuits had been filed in different states, including California, Illinois, New York, and Massachusetts.

The plaintiffs allege that Marriott did not properly work to mitigate Starwood’s cybersecurity risks before and after the merger. The Marriott data breach class action lawsuit claims that the hotel chain is liable under theories of tort, contract, and breach of statutory duties.

“The gravamen of these allegations is that Marriott failed to take reasonable steps to protect Plaintiffs’ personal information against the foreseeable risk of a cyber attack and contrary to their express privacy statements and statutory duties,” the judge’s opinion states.

Although Marriott wanted the claims against them to be dismissed, the judge found that the plaintiffs successfully argued their case.

According to the judge, the plaintiffs have sufficiently shown that there is an imminent risk of injury and identity theft, that they will have to use time and money to protect against identity theft, that they have lost property value in the personal information, and that they suffered from a loss of benefit of their agreement with Marriott related to the privacy of their data.

“Here because the alleged actual and threatened harm to the Bellwether Plaintiffs is sufficiently non-speculative to establish injury-in-fact, the Bellwether Plaintiffs have also established injury-in-fact based on the alleged time and money spent to mitigate that harm,” the judge notes in his opinion.

In related legal news, a class action lawsuit has been launched against Marriott Hotels in the U.K. seeking damages for 339 million guests whose personal information was breached in a cyberattack.

Was your data stolen by hackers? Leave a message in the comments section below.

The plaintiffs are represented by co-lead counsel Andrew Friedman of Cohen Milstein Sellers & Toll PLLC, Amy Keller of DiCello Levitt Gutzler LLC and James Pizzirusso of Hausfeld LLP.

The Marriott Data Breach MDL is In re: Marriott International Inc. Customer Data Security Breach Litigation, Case No. 19-md-2879, in the U.S. District Court for the District of Maryland.

Read More Lawsuit & Settlement News:

Lawsuit Filed over Alleged Catholic Church Sex Abuse Cover Up

FTC Mailing $34M To Office Depot Customers

Regions Bank Mortgage Loan Interest May Have Broken Federal Rules

Monster Energy Class Action Says Espresso Drinks Don’t Contain Vanilla