Marriott Sued Over Another Data Breach


Frequent Marriott guest Pati Springmeyer has filed a class action complaint against hotel chain Marriott International, Inc. arising from a data breach disclosed late in March.

She accused Marriott of negligence, negligence per se, breach of contract, breach of implied contract, breach of confidence, as well as deceptive and unfair trade practices in relation to the data breach.  The suit is filed in the Maryland District Court. Plaintiff is represented by Murphy Falcon and Murphy.

In order to reserve and book a room at a Marriott hotel, “Marriott’s guests create, maintain, and update profiles containing significant amounts of personal identifiable information (‘PII’), including their names, birthdates, addresses, locations, email addresses, and payment card information.” On March 31, Marriott announced that two of its employees’ login credentials were compromised and “‘an unexpected amount of guest information’ had been improperly accessed as early as mid-January 2020.” The compromised information includes “Contact Details,” “Loyalty Account Information,” “Additional Personal Details,” “Partnerships and Affiliations,” and “Preferences.” The plaintiff alleges that this data breach was caused by Marriott’s “failure to implement adequate and reasonable cyber-security procedures and protocols necessary to protect” guests’ personal information from unauthorized intrusions.

Springmeyer stayed at various Marriott hotels in the past decade and has allowed the company to keep her personal information, as required to book at the hotel. She was notified that her personal information was “compromised and ‘accessed without authorization.’” She has spent time monitoring her accounts to prevent identity theft and other misuses of her information. According to the complaint, Springmeyer and other class members could face, for example, identity theft and false purchases made in their name.

Marriott allegedly learned of the data breach in February and notified the 5.2 million affected guests on March 31. The plaintiff alleges that Marriott did not comply with FTC requirements to protect user information and violating Maryland’s Consumer Protection Act, specifically for deceptive and unfair trade practices.

Marriot has offered data breach victims one year of free enrollment in Experian’s Identity Works, a credit monitoring service, however, Springmeyer states that this measure is not enough because this misuse could occur for years to come.

Marriott suffered a prior data breach in November 2018, where the personal information of 500 million guests in Marriott’s Starwood reservation database was revealed due to a system flaw.