San Francisco: After customers in the US sued global hotel chain Marriott for exposing their data with one class-action lawsuit seeking $12.5 billion in damages, cyber security experts on Monday asked nearly 500 million affected customers globally to change passwords and take other precautions.
According to a report in ZDNet on Monday, the lawsuits were filed in the US state of Oregon and Maryland.
"While plaintiffs in the Maryland lawsuit didn't specify the amount of damages they were seeking from Marriott, the plaintiffs in the Oregon lawsuit want $12.5 billion in costs and losses," said the report.
Marriott International on November 30 revealed that its guest reservation system was hacked, exposing the personal information of approximately 500 million guests.
According to cyber security experts, questions need to be asked as to how 500 million guests have been affected by this data breach.
"While we're still only beginning to assess the true extent of the attack, ultimately, the security solutions the Starwood Hotels and Marriott Group had in place clearly weren't sufficient enough if it allowed an unauthorised third party to get into the system," said David Emm, Principal Security Researcher at Kaspersky Lab.
"The data was encrypted, but the attackers potentially stole the keys too - highlighting that an extra layer of security should have been in place to prevent this from happening. This data breach is now one of the most critical data breaches in history," Emm said in a statement.
The hotel chain said the hack affected its Starwood reservation database, a group of hotels it bought in 2016 that included the St. Regis, Westin, Sheraton, W Hotels, Le Méridien and Four Points by Sheraton.
According to John Shier, Senior Security Advisor, Sophos, the potential fallout from the Marriott's Starwood data breach should be alarming to anyone who has stayed at a Starwood property in the last four years.
"Not only are guests at risk for opportunistic phishing attacks, but targeted phishing emails are almost certain, as well as phone scams and potential financial fraud," said Shier.
Unlike previous breaches, this attack also included passport numbers for some individuals who are now at increased risk for identity theft.
"At this point, however, it's unclear what level of exposure each individual victim has been subject to. Until then, all potential victims should assume the worst and take all necessary precautions to protect themselves from all manner of scams," said Sophos.
Be on alert for spearphishing, opportunistic phishing, monitor your financial accounts and change passwords as a precaution, it added.
Marriott said that it reported the breach to law enforcement and was also notifying regulatory authorities. The hotel chain shares witnessed a maximum 8.7 per cent drop after announcing the data breach.