New York Attorney General Letitia James has reached a settlement with National Amusements, Inc., a global movie theater operator, resulting in a $250,000 penalty for the company. The agreement follows an investigation by the Office of the Attorney General (OAG) which found that National Amusements failed to adequately protect the personal information of over 23,000 employees in New York.
The OAG's inquiry revealed that due to insufficient data security measures, a data breach occurred compromising sensitive information including names, social security numbers, and financial account details. The breach affected 82,128 individuals overall. Additionally, it was discovered that National Amusements delayed notifying affected employees for more than a year after the breach, contravening the New York Shield Act.
Attorney General James stated: “No worker should have their social security and personal information stolen because their employer failed to protect them.” She emphasized that this agreement will enhance cybersecurity at National Amusements to safeguard employee information both in New York and nationwide.
The incident came to light in December 2022 when a vendor reported suspicious activity on National Amusements' systems. An investigation concluded that hackers accessed these systems using stolen employee credentials. Despite having multifactor authentication (MFA), it was not enforced across all channels.
National Amusements clarified that consumers visiting their theaters were unaffected by this breach as it pertained solely to current and former employees and contractors. As part of the settlement, they will implement improved cybersecurity measures including comprehensive security programs, encryption of personal data, stronger password policies, regular vulnerability assessments, and an incident response plan.
Attorney General James has been active in addressing cybersecurity lapses across various sectors. In October 2024, she secured $2.25 million from a healthcare provider for similar failures in data protection. Her office also achieved settlements with other companies over inadequate data security practices earlier this year.
This case was managed by Deputy Bureau Chief Clark Russell under Bureau Chief Kim Berger's supervision within the Bureau of Internet and Technology.