Hotels.com, Expedia Sued Over Data Breach


On Thursday, a Hotels.com user filed a class-action complaint against Hotels.com LP (HLP), owner of HLP Expedia Group Inc. (Expedia), Amazon Web Services Inc. (AWS), and a group of unnamed individuals for their alleged failures as it relates to a November 2020 data breach that exposed the plaintiffs’ and others’ personally identifiable information.

The defendant operates Hotels.com, an online booking service where an individual can check hotel and room availability and make a reservation, the complaint said. However, in order to use the platform, the plaintiff noted that “a customer must enter in significant personally identifiable information (PII) such as a first name, last name, email address, password, home address, telephone number, and payment card information.” The plaintiff noted that users “trust that their PII will be maintained in a secure manner and kept from unauthorized disclosure to third parties as required by the law.”

According to the complaint, around November 9, there was a data breach that exposed millions of Californians’ PII collected by defendants HLP and Expedia, both of whose websites were impacted. The PII was stored with defendant AWS on its Cloud Hospitality server. Moreover, the plaintiff claimed that the defendants “have not issued a disclosure” about the breach as required by law; instead, the breach allegedly was disclosed via various news sources. The plaintiff added that the exposed PII includes “the full names, email addresses, national ID numbers, phone numbers, credit card numbers, credit card holder’s names, CVVs, expiration dates, and information regarding the nature and cost of the booked hotel stays.” Furthermore, the plaintiff proffered that the PII “was not stored in a hashed or otherwise secured format and failed to comply with the Payment Card Industry Data Security Standards as exemplified by the significant variety and amount of credit card PII that was exposed.” This data breach exposed information that is protected by the California Consumer Privacy Act (CCPA). As a result, users’ “unredacted names were revealed along with both unique identification numbers, such as driver’s license or passport numbers, as well as credit card or payment information.” Thus, with this information, a bad actor could access a user’s various accounts.

According to the plaintiff, the defendants failed to safely maintain and secure the PII as required by the CCPA. Specifically, the plaintiff averred that this information was not encrypted and that payment information was not stored in a way that complied with the Payment Card Industry Security Standards. Consequently, the plaintiff and putative class had their PII breached as a result of the defendants’ failures, which the plaintiff added was in disregard to the plaintiffs’ and putative class’ privacy rights.

The putative class is defined as “(a)ll consumers in California whose PII was compromised in the Breach.” The defendants are accused of a violation of the California Consumer Privacy Act and California’s Unfair Competition Law, as well as negligence.

The plaintiff has sought an order certifying the class and for the plaintiff and her counsel to represent the class; an order requiring the defendants to notify the putative class; an award for damages; an award for costs and fees; pre- and post-judgment interest; and other relief.

The plaintiff is represented by the Law Offices of Todd M. Friedman PC.