A pair of Oregonians became among the first in the nation Friday to file a class-action lawsuit against Marriott, hours after the company announced a massive data breach affecting 500 million customers of its Starwood hotels.
The lawsuit’s class representatives are listed as Chris Harris, a Portland businessman who frequently travels, and David Johnson, a Salem attorney who believes the breach could be responsible for suspicious activity he noticed on his credit card in the past year.
Johnson quickly canceled his credit card and got a new one after recognizing the strange activity, said Portland lawyer Michael Fuller, one of the attorneys representing the men in the suit filed in Multnomah County Circuit Court.
“In days past, hotel customers had to worry about things like unwashed towels and bed bugs,” reads the lawsuit. “In today’s digital age, the primary worry of hotel customers is the security of their card numbers and other sensitive personal information.”
According to Marriott, the information stolen includes dates of birth, phone numbers, passport numbers and credit card numbers and expiration dates. Marriott said credit card numbers were encrypted, but the company hasn’t been able to rule out the possibility that the cyber thieves also stole information needed to decrypt the card numbers.
Experts say that based on what’s happened in past data breach cases, most customers won’t have their personal information illicitly used and they won’t suffer any financial losses.
According to Marriott, someone gained unauthorized access to its customers’ sensitive information in 2014. Experts say by now — four years later — most of those credit cards already have expired.
But Fuller said birthdates don’t change, and passport numbers and home addresses might not have changed, either. Even if most customers aren’t victimized, Fuller said, given the size of the data breach, many millions could be.
The lawsuit seeks $12.5 billion — or $25 for each customer whose privacy may have been jeopardized after making a reservation with Starwood brand hotels, including W Hotels, St. Regis, Sheraton and Westin.
“That’s a place to start,” said Fuller, of the compensation the lawsuit is seeking. “We don’t expect anyone to have losses less than $25.”
Fuller said in some cases, the $25 will compensate individuals for lost time they spent in canceling credit cards. For others, their losses will be “significantly” higher if criminals fraudulently used their information, Fuller said. That could affect credit scores, and credit repair can be a laborious process.
Friday’s announcement marks the second-largest corporate data breach ever. Three billion Yahoo users’ sensitive personal information was exposed after a 2013 hack.
Scores if not hundreds of similar class-action lawsuits could be filed across the country in coming weeks. A Baltimore law firm also filed suit Friday.
Fuller said what typically happens is a panel of judges rules on whether to consolidate the cases into a single case, and members of the public who have signed up for any of the many lawsuits will join into one large class.
Portland attorney Kelly Jones filed the suit along with Fuller. A trio of Los Angeles attorneys also signed their names to the suit.
Read the lawsuit here.
— Aimee Green