Hotel chain Marriott sued over massive data breach

Customers in the US have sued global hotel chain Marriott for exposing their data, with one class-action lawsuit seeking $12.5 billion in damages.

The lawsuits were filed in the state of Oregon and Maryland, ZDNet reported on Monday.

"While plaintiffs in the Maryland lawsuit didn't specify the amount of damages they were seeking from Marriott, the plaintiffs in the Oregon lawsuit want $12.5 billion in costs and losses," said the report.

Marriott International on November 30 revealed that its guest reservation system was hacked, exposing the personal information of approximately 500 million guests.

The hotel chain said the hack affected its Starwood reservation database, a group of hotels it bought in 2016 that included the St. Regis, Westin, Sheraton, W Hotels, Le Méridien and Four Points by Sheraton.

"For roughly two-thirds of the guests who were possibly affected, the information in the breach included names, addresses, phone numbers, email addresses, passport numbers and travel details," CNN reported.

Marriott said some records also included encrypted payment card information, but it could not rule out the possibility that the encryption keys had also been stolen.

"We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests and using lessons learned to be better moving forward," said Chief Executive Arne Sorenson in a news release.

Marriott said that it reported the breach to law enforcement and was also notifying regulatory authorities.

Marriot shares witnessed a maximum 8.7 per cent drop after announcing the data breach.

According to cyber security experts, questions need to be asked as to how 500 million guests have been affected by this data breach.

"While we're still only beginning to assess the true extent of the attack, ultimately, the security solutions the Starwood Hotels and Marriott Group had in place clearly weren't sufficient enough if it allowed an unauthorised third party to get into the system," said David Emm, Principal Security Researcher at Kaspersky Lab.

"The data was encrypted, but the attackers potentially stole the keys too - highlighting that an extra layer of security should have been in place to prevent this from happening. This data breach is now one of the most critical data breaches in history," Emm said in a statement.

According to John Shier, Senior Security Advisor, Sophos, the potential fallout from the Marriott's Starwood data breach should be alarming to anyone who has stayed at a Starwood property in the last four years.

"Not only are guests at risk for opportunistic phishing attacks, but targeted phishing emails are almost certain, as well as phone scams and potential financial fraud," said Shier.

Unlike previous breaches, this attack also included passport numbers for some individuals who are now at increased risk for identity theft.

The experts advised people to change passwords and use electronic cards, not physical ones, for online payments.

(With inputs from agencies.)