The massive data hack of guest information from the Marriott hotel empire has triggered a $100-million class action lawsuit in Calgary.
A statement of claim filed in Calgary Court of Queen’s Bench says the data breach in which hackers accessed records on as many as 500 million hotel guests was due to the chain’s lack of adequate security.
“The defendants knew or ought to have known that their databases were vulnerable to loss or theft,” says the claim, filed by Calgary lawyer Clint Docken and Edmonton counsel James Brown.
It says the company operates approximately 6,900 properties under 30 hotel brands, including Starwood hotels, in 130 countries and territories.
Marriott purchased Starwood Hotels and Resorts Worldwide LLC in September 2016 for $13.6 billion, the court documents say.
“There have been reports that during 2014, Starwood’s website was the home to (an) SQL injection bug and offers to hack the site were being made on the dark web,” it states.
Despite concerns about malware intrusion, a forensic investigation resulted in Starwood informing customers on two occasions in 2015 and 2016 “there was no indication that its guest database had been compromised in any way.”
But last Sept. 8, “the defendant received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database in the United States.
“The defendant engaged leading security experts to help determine what occurred. Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014,” the lawsuit says.
“On Nov. 30, 2018, Marriott announced it experienced what was, at the time, the second largest data breach in history.”
The lawsuit claims, among other things, Marriott didn’t utilize up-to-date security systems to protect its clientele.
“The defendants breached their duty of care by using dated security measures that failed to detect the security breaches as they happened and failing to notice the breaches for over four years.”
It says the hotel chain collected information from guests based on the understanding it would remain private.
“The personal information was communicated to the defendant or one of their subsidiaries on the basis that the information would be held in confidence and remain confidential,” the court action states.
The conduct of the defendants placed the plaintiffs at great risk, it claims.
“The personal information was and is capable of being used, in the hands of a third party, for a variety of illegal purposes, including identity theft, credit card fraud, land titles and mortgage fraud, break and entry and theft.”
A statement of defence disputing the unproven allegations has not been filed.
As a result of the Marriott data breach, at least three other proposed class actions have been brought to courts in Toronto and Montreal.
On Twitter: @KMartinCourts
Copyright Postmedia Network Inc., 2019
