[BreachExchange] New Lawsuit Claims Marriott Still Exposes Customer Information

[Destry Winant]

https://www.securityweek.com/new-lawsuit-claims-marriott-still-exposes-customer-information

A new class action filed against Marriott following the massive data
breach alleges that the hotel giant’s systems are affected by a
serious vulnerability that still exposes customer information.

Several lawsuits have been filed against Marriott after the company
revealed that hackers had access to its systems since at least 2014
and that they may have stolen the details of up to 500 million
customers from the Starwood guest reservation database.

The latest class action, initiated by law firm Edelson in Maryland,
claims that Marriott’s network is still vulnerable to cyberattacks.
Edelson claims its in-house forensics lab discovered a flaw in
Starwood’s internal systems that exposes a “wealth of information.”

Edelson’s complaint is redacted to avoid giving away the details of
the vulnerability, but it does note that “some of the largest and most
significant data breaches in recent history were carried out by
leaving open access to this exact type of data.”

“[The exposed information] could provide an endless roadmap of network
weaknesses and attack points. Likewise, a database of this kind offers
numerous data points for phishing attacks and social engineering,” the
complaint reads.

Edelson also pointed out that when individuals impacted by the breach
sign up for the WebWatcher service offered by Marriott through Kroll,
they relinquish their right to bring legal action.

The WebWatcher service, offered free of charge for one year, monitors
websites where personal information is shared and alerts the consumer
if their information is found. However, the WebWatcher terms of
service include a mandatory arbitration, jury, and class action
waiver.

The lawsuit highlights several past cybersecurity incidents involving
Starwood and Marriott systems – including the discovery of
vulnerabilities and malware – in an effort to show that the hotel
company failed to take appropriate steps to secure customer
information and that it violated several laws.

SecurityWeek has reached out to Marriott for comment and will update
this article if the company responds.

Marriott discovered the massive breach on September 8, when one of its
internal security tools detected suspicious activity related to the
Starwood guest reservation database. The investigation launched by the
company revealed that the unauthorized access may have dated as far
back as 2014.

Individuals involved in the investigation revealed that some clues
left behind by the hackers suggest that the attack may have been part
of a cyber espionage operation conducted by the Chinese government.