Law firm Morgan & Morgan announced on Thursday that it has filed a class action lawsuit against Marriott over the recently disclosed data breach that has impacted as many as 5.2 million individuals.
The complaint filed by Morgan & Morgan in the District of Maryland accuses Marriott of negligence, breach of contract, breach of confidence, and deceptive and unfair trade practices.
Marriott has been accused of “failing to take adequate and reasonable measures to ensure their data systems were protected against unauthorized intrusions; failing to disclose that it did not have adequately robust computer systems and security practices to safeguard guest PII; failing to take standard and reasonably available steps to prevent the Data Breach; failing to monitor and timely detect the Data Breach; and failing to provide Plaintiff and Class Members with prompt and accurate notice of the Data Breach.”
Marriott revealed on Tuesday that someone may have stolen information on up to 5.2 million guests after accessing an internal application using the credentials of two employees at a franchise property. The app in question is used by corporate-owned and franchised hotels to provide services to guests.
The investigation into the incident has so far revealed that the unauthorized access likely started in mid-January. The breach was discovered at the end of February.
Various types of information were exposed, including name, mailing address, email address, phone number, loyalty account number and point balance, company name, gender, birth day and month, information on the customer’s preferences, and details on partnerships and affiliations. However, not every piece of information was present for each affected guest.
Marriott believes Bonvoy account passwords or PINs, passport information, payment card information, national IDs or driver’s license numbers have not been compromised. However, Bonvoy passwords have been reset and impacted guests have been offered identity protection services free of charge for one year.
This breach is relatively small compared to the incident disclosed by Marriott in November 2018, which impacted roughly 383 million people who had stayed at Starwood hotel properties. A class action lawsuit has been filed against Marriott over this older breach as well and a federal judge recently allowed the case to proceed.
“These large companies know the risk posed by cyber criminals and continue to be cavalier with their customers’ personal information. It’s stunning that Marriott, which is already defending a significant data breach, we allege, would not have taken more care to secure its customers’ information. The fact that this breach comes less than two years after the first one we know about is damning, and they must be held accountable,” Morgan & Morgan attorneys John Morgan and John Yanchunis said in a joint statement.
“When guests stay at hotels, they trust the hotel will provide adequate security – both physical and the protection of their private information. It appears that the trust millions of people placed in Marriott was violated – again,” they added.