NY AG Announces Probe of Marriott Data Breach and Its Failure to Report Incident
A spokeswoman for Underwood's office confirmed Friday morning that they were looking into the breach and that the company may have violated state law by not notifying the attorney general of the incident.
November 30, 2018 at 11:34 AM
5 minute read
New York Attorney General Barbara Underwood is investigating a data breach that compromised the data of approximately 500 million persons who made reservations at Marriott International's Starwood hotels.
A spokeswoman for Underwood's office confirmed Friday morning that they were looking into the breach and that the company may have violated state law by not notifying the attorney general of the incident.
“We've opened an investigation into the Marriott data breach,” said Amy Spitalnick, spokeswoman for Underwood. “Additionally, under New York law, Marriott was required to provide notification to our office upon discovering the breach; they have not done so as of yet.”
Marriott, which announced the data breach early Friday morning, said in a statement that they are working on filing regulatory notices with state authorities following their announcement of the breach.
“We are in the process of completing the filing of all regulatory notices this morning,” a spokesman for Marriott said.
Underwood was among the first state attorneys general to confirm an investigation into the breach Friday morning. The reach of her investigation, and any civil litigation arising from it, would be limited to the breach's impact on New York residents. The attorney general's office typically, in situations like these, partners with attorneys general from several states to reach a national settlement for victims of an incident.
The multinational hotel chain is headquartered outside New York in Bethesda, Maryland. Maryland Attorney General Brian Frosh said in a statement Friday morning that his office would be taking a “hard look” at the security incident, though a spokeswoman said they typically do not confirm nor deny active investigations into a company.
“The Marriott data breach is one of the largest and most alarming we've seen,” Frosh said. “My office will be taking a hard look at Marriott's actions to understand the circumstances that led to the breach.”
Frosh also said his office will be working with the company to make sure users affected by the breach are notified. They will also be monitoring the company's response to the incident, Frosh said.
Marriott announced Friday morning that an investigation that ended nearly two weeks ago had confirmed the data breach. The company launched the investigation after it was informed of a possible security incident by an internal security tool on Sept. 8, according to Marriott. The investigation determined that there had been unauthorized access to the Starwood network since 2014.
The incident compromised the data of 500 million people who made a reservation at one of the company's Starwood properties on or before Sept. 10, Marriott said. For an unknown number of those customers, the information obtained may have included credit card numbers and their expiration dates. Those were encrypted in the system, Marriott said, but whoever accessed the database may have been able to decrypt them.
About two-thirds of users had other information compromised as well, including their passport number, name, mailing address, phone number, email address, date of birth and gender. The breach also compromised details on their stay at the Starwood property, as well as their account information with the Starwood Preferred Guest program.
The company said it's already reported the incident to law enforcement and has begun notifying regulatory authorities. As of Friday morning, authorities in New York had not been notified, Spitalnick said.
New York state law requires that a company inform the state's affected residents when a person acquires their personal computerized data without valid authorization. There are situations, according to the law, where a company may be asked to delay notifying its users if that message would impede a criminal investigation.
When it's discovered, a security breach has to be reported by a company to three state entities: the attorney general's office, the state police and the Department of State. The Consumer Frauds and Protection Bureau within the attorney general's office handles incidents involving a security breach. Marriott had failed to inform any of the three as of Friday morning, according to the attorney general's office.
The data breach affected customers who stayed at more than a half-dozen of the company's Starwood properties, including W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels. Starwood-branded timeshare properties also were impacted.
“We deeply regret this incident happened,” said Arne Sorenson, Marriott's president and CEO. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
The company has created a website to address the concerns of users who suspect they may have been affected. That can be found at info.starwoodhotels.com. Customers also may call the company's call center for the breach, which is at 877-273-9481 for users in the U.S. Marriott also will begin sending emails to affected users on a rolling basis, starting Friday.
READ MORE:
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllAttorneys 'On the Move': Structured Finance Attorney Joins Hunton Andrews Kurth; Foley Adds IP Partner
4 minute readNY Civil Liberties Legal Director Stepping Down After Lengthy Tenure
Former Top Aide to NYC Mayor Is Charged With Bribery Conspiracy
Trending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250