Marriott's data breach problems are only getting worse. A class action lawsuit has been filed against the hotel chain and cybersecurity experts say the whole ordeal could have been detected years ago.
Hackers stole data from as many as 500 million guests who made reservations at Marriott's Starwood properties, including some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.
On Friday, Murphy, Falcon & Murphy, with their co-counsel Morgan & Morgan, filed a national class action lawsuit against Marriott, alleging that the hotel chain "failed to ensure the integrity of its servers and to properly safeguard consumers' highly sensitive and confidential information." The suit does not disclose how much they are seeking in damages.
Making matters worse, cybersecurity experts are claiming that Marriott may have missed an opportunity to catch and correct the problem during a smaller breach in 2015.
“With all the resources they have, they should have been able to isolate hackers back in 2015,” Andrei Barysevich, a researcher with the security company Recorded Future Inc., said in an interview with the Wall Street Journal.
"That’s absolutely true," Franklyn Jones, chief marketing officer of Cequence Security, said to USA TODAY about the possibility of an earlier detection. "I don’t know all the details for certain, but the likelihood is yes, it could have (been detected sooner). There are many different security vendors out there specifically for this reason, to detect traffic that looks suspicious. ... I would agree that this should have been detected long before it did, or at least been reported."
"The unfortunate thing is the impact is just getting started," Jones said. "What typically happens from these breaches is that the data finds its way out to the dark web, and bad people find those stolen credentials and try them on other websites to see if they can get them into other accounts."
USA TODAY has reached out to Marriott about these experts' claims.
"The potential damage cannot be understated," Paige Boshell, a privacy and cybersecurity attorney with Privacy Counsel in Birmingham, Alabama, said to USA TODAY. "This type of information may be retained and used over and over again for years."
The hotel chain announced Friday it determined on Nov. 19 that a breach had occurred involving the Starwood guest reservation database, which has information on reservations at Starwood properties made on or before Sept. 10, 2018.
Marriott said it was alerted on Sept. 8 about an attempt to access the Starwood database in the U.S. and enlisted security experts to assess the situation. Marriott said it learned there had been unauthorized access to the Starwood network since 2014 during the investigation.
An unauthorized party had copied and encrypted information from the database and had taken steps toward removing it, Marriott says. The company was able to decrypt the information on Nov. 19 and found that the contents were from the Starwood guest reservation database.
Any guest who made a Starwood reservation, regardless of whether they are a Starwood Preferred Guest member, may have had their data involved in the breach, Marriott says.
Contributing: Mike Snider