Marriott breach sparks multibillion-dollar suits, with more to come

Two class-action lawsuits already have been filed against Marriott after the hotel chain revealed a massive breach of its systems that compromised 500 million customers. One of the suits is seeking billions in damages. And many more are on the way, according to industry experts.

Lawyers in Oregon filed a class-action lawsuit Friday on behalf of David Johnson, a lawyer, and Chris Harris, a business owner. Johnson had noticed unauthorized purchases on his credit card recently and believes it was due to the hack, according to Michael Fuller, an attorney for the plaintiffs. (Harris reportedly had to replace a credit card he had used at a Marriott.) A Baltimore law firm also filed suit.

The hotel company's breach was revealed thanks to Europe's recently enacted privacy law, known as GDPR, under which Marriott could owe up to $912 million in fines for the breach.

The U.S. doesn't have a similarly broad privacy law, although some types of data are protected. That means lawyers for Marriott's U.S. customers will have to show their clients were hurt and that it was Marriott's fault.

"We have to use the same law you would have used if your stagecoach got broken into 200 years ago," Fuller quipped.

Fuller has received a dozen inquiries since Friday complaining of either suspicious activity or an increase in spam, he told CBS MoneyWatch. The suit seeks up to $12.5 billion in damages -- or $25 for each customer who was affected. That covers "just the inconvenience of going to fix their credit, get a new credit card, and so forth," he said.

"This is a company that knows to invest in state-of-the-art marketing, state-of-the-art reservations … at the same time, it does not appear they went to the same level of investment protecting the information that they work so hard to get you to give them," said Hassan Murphy, managing partner at Murphy Falcon & Murphy, which filed the lawsuit in Maryland.

Marriott declined to comment on the lawsuits. Data-protection experts note the unusually broad extent of the company's breach, which revealed names, addresses, passport numbers, dates of birth, credit card information and travel details of at least 327 million people, and less sensitive information for up to 500 million. (The U.S. has about 329 million residents.) 

"When you look at a breach like this, and especially the amount of time the hackers had access to the data, there's probably a case to be made that there's some accountability to the company. There's a delay in identifying the problem," said Neill Feather, CEO of SiteLock.

"Once the attackers have made their way in and infiltrated a network, they're financially motivated to stay hidden," he added.

Marriott also said that while some of the data was encrypted, it's possible hackers could have accessed the key to decrypt it, a situation that CNET senior producer Dan Patterson likened to "locking the door to your house but then giving out the key."

Marriott also suffered a cyberattack in 2015 that exposed customers' credit card numbers. While the hotel said the 2015 incident wasn't related to the one it just disclosed, cybersecurity experts said Marriott should have learned from its earlier experience. Oregon attorney Fuller argued that the 2015 incident should have alerted Marriott it was a hacking target and caused it to take precautions.

It can take years for victims to see any money after a breach, especially one with hundreds of millions of victims. Lawsuits stemming from Equifax's loss of 145 million customers' data last year are still ongoing. Some victims of that breach have also had success suing Equifax in small-claims court.

For many companies whose customer data gets breached, the penalties come in the form of damaged reputations, crushed stock prices or lost business. A report from the Ponemon Institute last year found that companies see a 5 percent stock drop, on average, after they report a data breach. (Equifax's stock is currently trading about 10 percent below its pre-breach level.) Yahoo, which holds the distinction for the biggest data breach of all time, by number of victims, saw its value cut by $350 million in its subsequent sale to Verizon.

"Data breaches are a very real business risk with bottom-line concerns," said Tim Steinkopf, president of Centrify, a data security firm.

Still, Marriott likely has the business resources (if not the technical ones) to weather a breach. It's worse for small businesses, which often lack the cash reserves to hold on during the long-term dip in business that follows. According to SiteLock's Feather, 60 percent of small businesses that experience a data breach eventually go bust because of it.