Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

New Lawsuit Claims Marriott Still Exposes Customer Information

A new class action filed against Marriott following the massive data breach alleges that the hotel giant’s systems are affected by a serious vulnerability that still exposes customer information.

A new class action filed against Marriott following the massive data breach alleges that the hotel giant’s systems are affected by a serious vulnerability that still exposes customer information.

Several lawsuits have been filed against Marriott after the company revealed that hackers had access to its systems since at least 2014 and that they may have stolen the details of up to 500 million customers from the Starwood guest reservation database.

The latest class action, initiated by law firm Edelson in Maryland, claims that Marriott’s network is still vulnerable to cyberattacks. Edelson claims its in-house forensics lab discovered a flaw in Starwood’s internal systems that exposes a “wealth of information.”

Edelson’s complaint is redacted to avoid giving away the details of the vulnerability, but it does note that “some of the largest and most significant data breaches in recent history were carried out by leaving open access to this exact type of data.”

“[The exposed information] could provide an endless roadmap of network weaknesses and attack points. Likewise, a database of this kind offers numerous data points for phishing attacks and social engineering,” the complaint reads.

Edelson also pointed out that when individuals impacted by the breach sign up for the WebWatcher service offered by Marriott through Kroll, they relinquish their right to bring legal action.

The WebWatcher service, offered free of charge for one year, monitors websites where personal information is shared and alerts the consumer if their information is found. However, the WebWatcher terms of service include a mandatory arbitration, jury, and class action waiver.

The lawsuit highlights several past cybersecurity incidents involving Starwood and Marriott systems – including the discovery of vulnerabilities and malware – in an effort to show that the hotel company failed to take appropriate steps to secure customer information and that it violated several laws.

Advertisement. Scroll to continue reading.

SecurityWeek has reached out to Marriott for comment and will update this article if the company responds.

Marriott discovered the massive breach on September 8, when one of its internal security tools detected suspicious activity related to the Starwood guest reservation database. The investigation launched by the company revealed that the unauthorized access may have dated as far back as 2014.

Individuals involved in the investigation revealed that some clues left behind by the hackers suggest that the attack may have been part of a cyber espionage operation conducted by the Chinese government.

Related: Schumer Says Marriott Should Pay to Replace Hacked Passports

Related: Espionage, ID Theft? Myriad Risks From Stolen Marriott Data

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.