[BreachExchange] Florida-Based Firm Files Class Action Against Marriott After Latest Data Breach Revelation

Destry Winant destry at riskbasedsecurity.com
Mon Apr 6 10:20:23 EDT 2020


The Orlando, Florida-based personal injury firm Morgan & Morgan has
sued Marriott International in federal court one day after the hotel
chain announced it had been the victim of another data breach
affecting millions of customers.

On Wednesday, attorneys with Morgan & Morgan filed a proposed class
action lawsuit in the U.S. District Court for the District of
Maryland. The suit, Springmeyer v. Marriott International, listed Las
Vegas resident Pati Springmeyer as class representative, and alleges
the company failed to take required steps to protect its customers’

“These large companies know the risk posed by cyber criminals and
continue to be cavalier with their customers’ personal information.
It’s stunning that Marriott, which is already defending a significant
data breach, we allege, would not have taken more care to secure its
customers’ information,” attorneys John Morgan and John Yanchunis said
in a statement about the suit. “The fact that this breach comes less
than two years after the first one we know about is damning, and they
must be held accountable.”

The new case was filed in the wake of Marriott’s announcement Tuesday
that it had been the victim of another data intrusion, one that could
affect as many as 5.2 million people. The breach, according to
Marriott, was discovered at the end of February, after learning that
the login credentials of two employees had been compromised. The
company said it believes the intrusion began in mid-January.

In its announcement, the company said personal identification
information, including people’s names, mailing addresses, email
addresses, birth dates and phone numbers, were likely exposed, as well
as information for their loyalty accounts with the hotel and some

The news comes less than 18 months after the company announced it had
been subject to an even wider data breach. In November 2018, the
company announced that the personal data of 500 million guests of its
Starwood Hotels and Resorts Worldwide properties had been compromised.
Marriott has since lowered that figure to fewer than 383 million, but
the information that was potentially exposed in that breach included
passport numbers and credit card information—both of which Marriott
said were not likely to have been exposed in the latest breach.

Dozens of lawsuits were filed in the wake of the initial breach, which
has been litigated out of federal court in Maryland, where the
international hotel chain is headquartered.

In her 34-page complaint over the recent breach, Springmeyer contended
that the hotel chain failed to take required steps to safeguard
customer information, and should have been well aware of its
responsibilities, given the prior breach.

“Marriott made significant expenditures to market its hotels and
hospitality services, but neglected to adequately invest in data
security, despite the growing number of data intrusions and several
years of well-publicized data breaches, including its own massive
breach a little over a year ago,” the complaint said.

Springmeyer said that, since the breach, she has been monitoring her
accounts for any misuse of her information.

The suit alleges negligence, breaches of contract and confidence, and
violation of Maryland’s Consumer Protection Act.

A spokeswoman for Marriott did not immediately return a message seeking comment.

More information about the BreachExchange mailing list