CHICAGO (Legal Newsline) – The City of Chicago is suing hotel chain Marriott regarding a data breach that affected millions of customers worldwide.
The city filed the lawsuit against Marriott International Inc. and its subsidiary, Starwood Hotels & Resorts Worldwide LLC. Feb. 14 in the U.S. District Court for the Northern District of Illinois claiming the hotel company violated the Municipal Code of Chicago by "failing to protect Chicago residents’ personal information."
"On Nov. 30, 2018, the hotel conglomerate Marriott announced a data breach affecting some 500 million people – the second largest data breach ever," where it "admitted that since 2014, criminal hackers have had unfettered access to a database that stores personal information about guests who reserved rooms at hotels operated by Starwood, a Marriott subsidiary," and "during this four-year period, criminals copied and encrypted guests’ personal information such as names, mailing addresses, email addresses, phone numbers, passport numbers, birth dates, and credit-and debit-card numbers," the lawsuit said.
The city claims Marriott did not take any action against the breaches and claimed the company knew about the issues.
"Defendants have long been aware of the risk of a data breach," the complaint said. "The hotel industry has been a favorite target of criminal hackers due to the industry’s massive collection of personal information and reputation for lax security. Indeed, defendants themselves have been the target of multiple computer-security incidents.
"Defendants nevertheless failed to implement reasonable safeguards that, on information and belief, could have prevented the data breach or at least detected it sooner. As one cybersecurity expert observed: 'it’s astonishing how long it took (defendants) to discover they were breached. … For four years, data was being pilfered out of the company, and they didn’t notice. They can say all they want that they take security seriously, but they don’t if you can be hacked over a four-year period without noticing."
Marriott, per the complaint, "violated Section 10 of the Illinois Personal Information Protection Act by failing to notify Chicago victims about the data breach in the most expedient time possible and without unreasonable delay," the complaint said.
Chicago is seeking restitution to residents that were affected by the breach, in addition to a monetary fine of at least $2,000 per offense, an injunction ordering the company to implement safeguards to avoid future breaches, plus attorneys' fees, costs, and a jury trial.
The city is being represented by attorneys Jane Elinor Notz, and Stephen J. Kane of the City of Chicago Department of Law.
U.S. District Court for the Northern District of Illinois Case No. 1:19-cv-00948