Two US-based law firms have filed a national class action lawsuit against Marriott International over the data breach the hotel company revealed on Friday.
Murphy, Falcon & Murphy and Morgan & Morgan filed the lawsuit on behalf of the estimated 500 million Starwood customers whose data may have been compromised in the breach, including lawyers Harry Bell and Edward Claffy.
Marriott admitted it became aware of the breach on the Starwood guests database on 8 September, but only began reporting it to customers on 30 November. The breach had begun in 2014 – two years before the company bought Starwood.
Personal details that could have been obtained by the hackers include names, birthdates, addresses, phone numbers and passport numbers. For some customers, their payment card details may also have been compromised, though Marriott says this information would require two components to decrypt.
Marriott is still working with cyber security experts and authorities to determine the scope of the breach.
The lawsuit alleges Marriott failed to invest enough resources in its security programmes to discover the breach sooner.
Plaintiffs are seeking punitive damages and reimbursement for credit or debit card fraud and out-of-pocket expenses resulting from the breach, as well as costs from not being able to use accounts and “losses in the form of deprivation of the value” of the plaintiffs’ personal details.
The lawyers also claim Marriott’s offer of a free subscription to the Webwatcher service to monitor for evidence of customers’ details being used online is “inadequate” and are seeking credit monitoring services.
Lawyer John Yanchunis from Morgan & Morgan was lead counsel in the litigation relating to the Yahoo data breach, which resulted in an $85 million settlement.