In Re: Marriott International, Inc., Customer Data Security Breach
Total Page:16
File Type:pdf, Size:1020Kb
Case 8:19-cv-00368-PWG Document 80 Filed 07/24/20 Page 1 of 327 UNITED STATES DISTRICT COURT DISTRICT OF MARYLAND SOUTHERN DIVISION IN RE: MARRIOTT INTERNATIONAL, INC., CUSTOMER DATA SECURITY MDL No. 8:19-md-2879-PWG BREACH LITIGATION Judge Paul W. Grimm This Document Relates To: This document relates to Case No. 8:19-cv-00368-PWG DENNIS MCGRATH, Individually and on behalf of all others similarly situated, Plaintiff, JURY TRIAL DEMANDED vs. MARRIOTT INTERNATIONAL, INC., ARNE M. SORENSON, KATHLEEN KELLY OBERG, BAO GIANG VAL BAUDUIN, BRUCE HOFFMEISTER, MARY K. BUSH, FREDERICK A. HENDERSON, LAWRENCE W. KELLNER, AYLWIN B. LEWIS, and GEORGE MUÑOZ, Defendants. THIRD AMENDED CONSOLIDATED CLASS ACTION COMPLAINT FOR VIOLATIONS OF FEDERAL SECURITIES LAWS Case 8:19-cv-00368-PWG Document 80 Filed 07/24/20 Page 2 of 327 TABLE OF CONTENTS Page I. NATURE OF THE CLAIM ................................................................................................ 2 A. Marriott Seeks to Merge with Starwood, Attracted by Its Clientele and Data ......................................................................................................................... 3 B. Marriott Was Obligated to Protect Starwood’s Data and to Perform Due Diligence on Starwood’s Systems .......................................................................... 5 C. Marriott Assured the Market that It Conducted Extensive Due Diligence and That Starwood’s Customer Data Was Secure .................................................. 6 D. Starwood’s Systems Were Outdated and Unprotected ........................................... 8 E. Defendants Either Knew That Starwood’s Systems Were Extremely Vulnerable to an Attack, or Were Severely Reckless in Disregarding the Risk ....................................................................................................................... 11 F. The Data Breach ................................................................................................... 17 G. Events Following the Data Breach and Documentary Evidence Confirm Defendants Made False and Misleading Statements About Marriott’s Due Diligence ............................................................................................................... 20 II. JURISDICTION AND VENUE ....................................................................................... 23 III. PARTIES .......................................................................................................................... 24 A. Lead Plaintiff ........................................................................................................ 24 B. Defendants ............................................................................................................ 25 1. The Individual Defendants ........................................................................ 25 2. The Audit Committee Defendants ............................................................ 27 IV. CONFIDENTIAL WITNESSES ...................................................................................... 31 V. CONTROL PERSON ALLEGATIONS........................................................................... 33 VI. SUBSTANTIVE ALLEGATIONS .................................................................................. 36 A. Nature of Marriott’s Business ............................................................................... 36 1. The Importance of Customer Data to Marriott ......................................... 36 2. The Data That Marriott Collects ............................................................... 40 i Case 8:19-cv-00368-PWG Document 80 Filed 07/24/20 Page 3 of 327 3. Marriott Understood the Importance of Keeping this Valuable Data Secure ........................................................................................................ 44 4. Rules and Regulations that Required Marriott to Keep Data Secure ........ 46 B. Marriott Seeks to Maximize Value by Merging with Hotel Giant Starwood ....... 49 1. Marriott’s M&A Activity Prior to Acquiring Starwood ........................... 49 C. The Massive Starwood Acquisition ...................................................................... 51 1. Analyst and Market Reaction to the Deal Underscores the Importance of the Acquisition of Starwood Customer Data to Marriott’s Business ................................................................................... 54 2. Marriott Conducts Inadequate Due Diligence at the Time of the Merger and Fails to Detect Numerous Vulnerabilities In Starwood’s System—Including a Massive Data Breach .......................... 59 a. Marriott’s Assurances to the Market ................................................. 60 3. Unbeknownst to the Market, Starwood Was Suffering from Massive Security Vulnerabilities That Left Customer Data Unsecured, and This Data Continued to be Unsecure After Marriott Acquired Starwood ................................................................................... 63 a. Oracle Deficiencies Lead to Security Vulnerabilities ....................... 64 b. Starwood’s Security Deficiencies Expose Valuable Data ................. 66 4. Defendants Either Knew That Starwood’s Systems Were Vulnerable to an Attack or Were Severely Reckless in Disregarding the Risk ............................................................................... 73 a. Confidential Witnesses Confirm Defendants Were Made Aware of the Severe Security Deficiencies in Starwood’s Systems ............................................................................................ 73 b. After the Deal Closed, Marriott Misled the Market About the Effectiveness of the Integration Process and Failed to Safeguard its Valuable Customer Data ............................................ 79 (i) The Integration Process........................................................... 79 (ii) Marriott Encountered Problems of Its Own Making While Integrating Starwood’s Troubled Networks ................. 80 (iii) The Integration Was Too Big to Handle and Too Expensive to Successfully Implement .................................... 86 ii Case 8:19-cv-00368-PWG Document 80 Filed 07/24/20 Page 4 of 327 5. Marriott Was Put on Explicit Written Notice of Security Vulnerabilities in Starwood’s Systems After It Commissioned Several Assessments of Starwood’s Cybersecurity Risks ........................ 91 6. Marriott Ignored Obvious Red Flags Alerting Them to Cybersecurity Risks and Data Breaches ................................................... 94 a. Successful Cyberattacks of Starwood’s Systems Put Defendants on Notice of Data Security Risks .................................. 94 b. Marriott Ignored Numerous High-Profile Data Breaches in the Hotel Industry .................................................................................. 96 c. The Equifax Data Breach Was Another Red Flag for Defendants ..................................................................................... 102 D. The Data Breach ................................................................................................. 104 1. Marriott’s Discovery of the Data Breach and the Initial Revelation to the Public ............................................................................................ 104 2. Marriott’s Response to the Data Breach ................................................. 112 E. Post-Class Period ................................................................................................ 114 F. Litigation and Regulatory Action Against Marriott ............................................ 118 1. The Multi-District Litigation in the District of Maryland ...................... 118 2. The Court Has Already Determined That Marriott Made Material Omissions About Its Due Diligence and Data Security and Knew the Company’s Due Diligence and Data Security Was Inadequate ........ 119 3. Evidence Produced to Plaintiffs in Parallel Derivative Litigation .......... 127 4. Regulatory Proceedings .......................................................................... 134 5. Experts’ Reaction to the Data Breach ..................................................... 135 G. The PFI Report Provides Conclusive Evidence That Marriott Misled the Market About Its Due Diligence and Security Risks Associated With Starwood’s Systems ............................................................................................ 137 1. PCI DSS .................................................................................................. 137 2. Marriott Commissions a PFI Report ....................................................... 138 3. Threat Actor’s Activity in Starwood’s Systems ..................................... 140 iii Case 8:19-cv-00368-PWG Document 80 Filed 07/24/20 Page 5 of 327 4. Verizon’s Conclusions and General Timeline of the Data Breach ......... 140 5. Malware Installation and Execution ....................................................... 149 6. Suspicious Queries .................................................................................. 151 7. Other Affected Servers ........................................................................... 152 a. Staging & Exfiltration of Database Tables ...................................... 153 8. RAM-Scraper Malware in the Starwood CDE ....................................... 155 9. PCI DSS Violations ................................................................................ 157 10. Causes of Data Breach Identified in the PFI Report ..............................