Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



New Lawsuit Claims Marriott Still Exposes Customer Information

A new class action filed against Marriott following the massive data breach alleges that the hotel giant’s systems are affected by a serious vulnerability that still exposes customer information.

A new class action filed against Marriott following the massive data breach alleges that the hotel giant’s systems are affected by a serious vulnerability that still exposes customer information.

Several lawsuits have been filed against Marriott after the company revealed that hackers had access to its systems since at least 2014 and that they may have stolen the details of up to 500 million customers from the Starwood guest reservation database.

The latest class action, initiated by law firm Edelson in Maryland, claims that Marriott’s network is still vulnerable to cyberattacks. Edelson claims its in-house forensics lab discovered a flaw in Starwood’s internal systems that exposes a “wealth of information.”

Edelson’s complaint is redacted to avoid giving away the details of the vulnerability, but it does note that “some of the largest and most significant data breaches in recent history were carried out by leaving open access to this exact type of data.”

“[The exposed information] could provide an endless roadmap of network weaknesses and attack points. Likewise, a database of this kind offers numerous data points for phishing attacks and social engineering,” the complaint reads.

Edelson also pointed out that when individuals impacted by the breach sign up for the WebWatcher service offered by Marriott through Kroll, they relinquish their right to bring legal action.

The WebWatcher service, offered free of charge for one year, monitors websites where personal information is shared and alerts the consumer if their information is found. However, the WebWatcher terms of service include a mandatory arbitration, jury, and class action waiver.

Advertisement. Scroll to continue reading.

The lawsuit highlights several past cybersecurity incidents involving Starwood and Marriott systems – including the discovery of vulnerabilities and malware – in an effort to show that the hotel company failed to take appropriate steps to secure customer information and that it violated several laws.

SecurityWeek has reached out to Marriott for comment and will update this article if the company responds.

Marriott discovered the massive breach on September 8, when one of its internal security tools detected suspicious activity related to the Starwood guest reservation database. The investigation launched by the company revealed that the unauthorized access may have dated as far back as 2014.

Individuals involved in the investigation revealed that some clues left behind by the hackers suggest that the attack may have been part of a cyber espionage operation conducted by the Chinese government.

Related: Schumer Says Marriott Should Pay to Replace Hacked Passports

Related: Espionage, ID Theft? Myriad Risks From Stolen Marriott Data

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.