Photo: Joseph GTK/Shutterstock.com

The Orlando, Florida-based personal injury firm Morgan & Morgan has sued Marriott International in federal court one day after the hotel chain announced it had been the victim of another data breach affecting millions of customers.

On Wednesday, attorneys with Morgan & Morgan filed a proposed class action lawsuit in the U.S. District Court for the District of Maryland. The suit, Springmeyer v. Marriott International, listed Las Vegas resident Pati Springmeyer as class representative, and alleges the company failed to take required steps to protect its customers' data.

"These large companies know the risk posed by cyber criminals and continue to be cavalier with their customers' personal information. It's stunning that Marriott, which is already defending a significant data breach, we allege, would not have taken more care to secure its customers' information," attorneys John Morgan and John Yanchunis said in a statement about the suit. "The fact that this breach comes less than two years after the first one we know about is damning, and they must be held accountable."

The new case was filed in the wake of Marriott's announcement Tuesday that it had been the victim of another data intrusion, one that could affect as many as 5.2 million people. The breach, according to Marriott, was discovered at the end of February, after learning that the login credentials of two employees had been compromised. The company said it believes the intrusion began in mid-January.

In its announcement, the company said personal identification information, including people's names, mailing addresses, email addresses, birth dates and phone numbers, were likely exposed, as well as information for their loyalty accounts with the hotel and some airlines.

The news comes less than 18 months after the company announced it had been subject to an even wider data breach. In November 2018, the company announced that the personal data of 500 million guests of its Starwood Hotels and Resorts Worldwide properties had been compromised. Marriott has since lowered that figure to fewer than 383 million, but the information that was potentially exposed in that breach included passport numbers and credit card information—both of which Marriott said were not likely to have been exposed in the latest breach.

Dozens of lawsuits were filed in the wake of the initial breach, which has been litigated out of federal court in Maryland, where the international hotel chain is headquartered.

In her 34-page complaint over the recent breach, Springmeyer contended that the hotel chain failed to take required steps to safeguard customer information, and should have been well aware of its responsibilities, given the prior breach.

"Marriott made significant expenditures to market its hotels and hospitality services, but neglected to adequately invest in data security, despite the growing number of data intrusions and several years of well-publicized data breaches, including its own massive breach a little over a year ago," the complaint said.

Springmeyer said that, since the breach, she has been monitoring her accounts for any misuse of her information.

The suit alleges negligence, breaches of contract and confidence, and violation of Maryland's Consumer Protection Act.

A spokeswoman for Marriott did not immediately return a message seeking comment.

READ THE COMPLAINT: