On Friday, two lawsuits were filed against Marriott, which last week announced that hackers had broken into its database. One lawsuit was filed by two men in Oregon and another was filed hours later in the state of Maryland. Both are seeking class-action status.
The plaintiffs in Oregon, David Johnson and Chris Harris, are seeking $12.5 billion in costs and losses -- or $25 for each of the 500 million users who had their personal data stolen from Marriott's servers.
“In today’s digital age, the primary worry of hotel customers is the security of their card numbers and other sensitive personal information,” the complaint states. “For the past four years, 500 million customers expecting a comfortable worry-free stay at Marriott were instead exposed to one of the largest digital infestations in history.”
The hotel chain disclosed last week that the breach occurred at its Starwood-branded hotels, which include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton, and Design Hotels.
Seeking fair compensation
An investigation revealed that unknown parties had gained access to the database sometime in 2014. Records that were stolen included, “some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (‘SPG’) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.”
Marriott didn't say how many guests had their financial data stolen, but officials said in a press release that the figure can't be more than 327 million.
“We deeply regret this incident happened,” Arne Sorenson, Marriott’s CEO, said in a statement last week. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
The Oregon plaintiffs said they’re seeking $25 per affected guest because that’s the minimum value for the amount of time users will spend canceling their credit cards due to the breach. Plaintiffs in the Maryland lawsuit didn't specify the amount of damages they were seeking from Marriott.
“Large, sophisticated companies like Marriott are not blind to the risks posed by cyber criminals, who are constantly attempting to infiltrate corporations that store sensitive consumer information,” John Yanchunis, an attorney for the law firm Morgan & Morgan, told Gizmodo. “The fact that a breach that began in 2014 went undetected for four years is shocking and horrifying.
“When guests stay at hotels, they trust the hotel will provide adequate security – both physical and the protection of their private information. It appears that the trust 500 million people placed in Marriott/Starwood was violated – for nearly half a decade,” Yanchunis added.
The Marriott hack was one of the largest in history, ranking second only to a breach that impacted Yahoo in 2013, in which hackers stole the personal information of three billion users.