Victims of Marriott’s recently reported hack are suing the hotel chain for billions of US dollars.
Two Oregon men were the first to launch legal action, blaming Marriott for exposing their data. Another lawsuit has since been filed in Maryland, with both lawsuits seeking class-action status.
The Oregon complainants are seeking $12.5 billion (£9.8 billion) in costs and losses and, with 500 million customers apparently affected by the data breach, that would equate to $25 (£19.60) each in compensation. The Maryland lawsuit has not yet put a figure on the compensation being sought.
The two Oregon plaintiffs believe the $25 (£19.60) is a minimum value for the time customers will have to spend cancelling bank cards.
Marriott confirmed the data breach on Friday, although it said the data breach has lasted for four years.
Guests who stayed at Marriott’s Starwood-branded hotels in that time frame may have had their financial details stolen, according to Marriott.
Starwood brands include Element Hotels, Aloft Hotels, Four Points by Sheraton and Design Hotels, Le Méridien Hotels & Resorts, St. Regis, Sheraton Hotels & Resorts, The Luxury Collection, Tribute Portfolio and W Hotels, Westin Hotels & Resorts.
Ilia Kolochenko, CEO and founder of web security company High-Tech Bridge, said the legal ramifications for Marriott and its subsidiaries could be staggering, “from harsh financial penalties from authorities in many countries to individual and class-action lawsuits from the victims.”
He added: “This looks like one more tremendous data breach related to insecure web applications. Many large companies still do not even have an up to date inventory of their external applications, let alone conducting continuous security monitoring and incremental testing. They try different security solutions without a consistent and coherent application security strategy. Obviously, one day such an approach will fail.
“Regulations, such as GDPR, do not necessarily help. In the past two years many companies were over-concerned to comply with GDPR on paper, ignoring practical security requirements due to limited budget and resources. Management is often satisfied with a formalistic approach to compliance, ignoring the practical side of cybersecurity and privacy.
Tom Kellermann, chief cybersecurity officer for Carbon Black, said: “It appears there had been unauthorised access to the Starwood network since 2014, demonstrating that attackers will get into an enterprise and attempt to remain undetected. A recent Carbon Black threat report found that nearly 60% of attacks now involve lateral movement, which means attackers aren’t just going after one component of an organisation – they’re getting in, moving around and seeking more targets as they go.
“The report also found that more than a third (36%) of today’s attackers now use the victim primarily for island hopping. In these campaigns, attackers first target an organisation’s affiliates, often smaller companies with immature security postures and this can often be the case during mergers and acquisition. This means that data at every point in the supply chain may be at risk, from customers, to partners and potential acquisitions.”