Breach of Starwood Hotels guest reservation database dates to at least 2014 and may affect personal data of 500 million customers
CHICAGO, December 3, 2018 – Marriott International Inc. (NASDAQ: MAR), the parent company of Starwood Hotels, failed to ensure that the personal information of as many as 500 million customers was adequately protected, leading to a massive, long-running data breach that may have lasted more than four years, according to a new nationwide class action lawsuit. The suit, filed by Adam Levitt and Amy Keller, partners at prominent national law firm DiCello Levitt, alleges that Starwood, and later Marriott, took more than four years to discover the breach and then failed to notify its customers in a timely manner. Marriott became the world’s largest hotel chain when it completed an acquisition of Starwood in 2016.
Beginning in 2014 and possibly earlier, and continuing through November 2018, hackers exploited vulnerabilities in Starwood’s network to access the guest reservation system and steal customer data. Marriott discovered the breach on September 8, 2018 but failed to publicly disclose it until nearly three months later, on November 30, 2018, when it admitted that there had been unauthorized access to the Starwood guest reservation database. This database contained personally identifiable customer information, including names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest (SPG) account information, date of birth, gender, arrival and departure information, reservation dates, and communication preferences. For some, the information also included payment card numbers and payment card expiration dates. Starwood currently maintains a separate reservation system from other Marriott-branded hotels, though the company reportedly has plans to merge them at a later date.
“It is particularly egregious that Marriott did not discover this serious data breach during the course of its due diligence efforts in conjunction with its 2016 Starwood acquisition,” said Ms. Keller, who also serves as co-lead counsel in the nationwide class action against Equifax related to its 2017 data breach. “Marriott seems to forget that part of being in the customer service business includes actually taking care of its customers. Through this lawsuit, we intend to ensure that it never forgets that again.”
The lead plaintiffs in the class action are two longtime members of Starwood’s (and now Marriott’s) customer loyalty program, Illinois resident Peter Tapling and California resident David Sparks. Mr. Tapling, a loyalty program member for more than 31 years, was notified by email on November 30, 2018, that his information was compromised by the data breach. Mr. Sparks is still awaiting notification from Marriott that his information was compromised but based on public information and other information available only to him, he believes that his information has also been detrimentally affected. As a result, both Plaintiffs have been forced to take measures that otherwise would not have been necessary to ensure that their identities are not stolen and that their financial accounts are not compromised.
“It is not surprising that a company which took more than four years to even recognize its systems were being breached, has also demonstrated that it was unprepared to properly execute a post-breach response plan,” said Mr. Levitt, one of the firm’s co-founding partners.
Ms. Keller agreed, noting, “Marriott’s dedicated website and call center for data breach inquiries appears woefully inadequate given the huge number of affected customers. Customers are experiencing long wait times, and the lack of information about who was affected and how has left guests confused and concerned. Moreover, Marriott’s offer to its customers of one year’s free enrollment in Web Watcher is deficient. Web Watcher is not a credit monitoring service. It merely keeps an eye on sites where thieves may sell or swap personal information. Hackers are likely well aware of Marriott’s one-year offer and will, therefore, wait for that period to expire before exploiting the stolen data.”
The complaint, filed in U.S. District Court for the District of Maryland, Southern Division, is Peter Tapling and David Sparks v. Marriott International Inc., Case No. 8:18-cv-3703. DiCello Levitt filed this case with Andrew Friedman of Cohen Milstein and James Pizzirusso of Hausfeld, both of whom are also members of the Equifax executive committee. A copy of the complaint is available upon request.
If you believe that you have been affected by the Marriott data breach, attorneys at DiCello Levitt are happy to speak with you about the ongoing litigation and how to protect your rights. Call (440) 953-8888 to speak with one of our attorneys or fill out our survey here, and we will contact you.
DiCello Levitt has significant experience seeking justice for plaintiffs in data breach and related technology litigation. From Mr. Levitt’s filing of the very first Internet privacy cases in the United States in 1999 to Ms. Keller’s Equifax leadership appointment earlier this year, the firm’s attorneys have long been at the forefront of this type of litigation and have been responsible for some of the key jurisprudence in this field.
About DiCello Levitt
DiCello Levitt is a different kind of law firm – one that combines excellence in commercial litigation, class action litigation, mass tort litigation, catastrophic injury litigation, labor and employment litigation, and civil rights litigation. Practicing nationwide – and internationally – from offices in Chicago and Cleveland, we are an aggressive, attentive, and creative plaintiffs’ firm whose work speaks for itself – billions of dollars in recoveries in some of the highest-profile matters in U.S. history. Revered by clients and respected by defense counsel, our team gets result