Marriott International, Inc. is facing the beginnings of what may be a bigger wave of litigation filed in the wake of a years-long data breach that exposed approximately 500 million guests’ private information to hackers. The first three lawsuits, filed in Maryland, Massachusetts and Illinois, argue that the hotel chain and Starwood Hotels & Resorts Worldwide not only failed to implement adequate security measures to protect guests’ data but neglected to provide timely notice to customers that their information had been stolen.
The breach supposedly began as early as 2014 when unauthorized parties gained access to the reservation system for Starwood Hotels & Resorts Worldwide, LLC, now owned by Marriott. The hotel chain somehow failed to detect the breach for more than four years, the plaintiffs charge, and waited until November 2018 to notify potentially affected customers that their information may have been compromised.
According to the lawsuits, Starwood’s reservation system contains “massive amounts” of customers’ personal information, such as names, addresses, passport information, birth dates, and credit and debit card numbers. Starwood, which is named as a defendant in two of the lawsuits, collects this data from customers when they register on its website, join its Loyalty Program, make purchases at its dining or retail locations, or check in at one of the company’s stable of hotels, the lawsuit says, such as W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Meridien Hotels & Resorts, Four Points by Sheraton, and Design Hotels.
The lawsuits allege that Marriott customers now face “years of constant surveillance” of their personal records and a higher risk of identity theft. According to the plaintiffs, the hotel chain’s offer of one year of free enrollment in Web Watcher is an insufficient remedy for their damages, as the service only applies to guests who live in the United States, Canada, and Britain and “is not a credit monitoring service.”