Federal judge orders Marriott to release forensic report from Starwood data breach
The federal judge overseeing a shareholder lawsuit against Marriott stemming from the mega data breach at its Starwood unit has ordered the companies to release key documents surrounding the incident, including a third-party forensic report that could shed light on lapses leading to the massive hack of customer data.
The breach, which exposed personal information of at least 300 million Starwood lodging guests over a period of several years, came to light in 2018 and is one of the largest data hacks on record.
US District Judge Paul Grimm in Maryland granted a motion filed by noted investor firm Labaton Sucharow, which had petitioned the court to unseal the so-called PFI report – a Payment Card Industry Forensic Investigative Report that Marriott had sought to keep from public scrutiny.
“Because defendants have not met their burden to overcome the First Amendment right to access, the motion to unseal is granted,” Judge Grimm wrote, adding that the report will be subject to “narrowly tailored redactions” if defendants can prove they threaten any existing operational database systems.
Judge Grimm noted that shareholders’ request to release the report “does not run afoul” of rules governing a stay of discovery in the case and that “there is a First Amendment right to access portions of the PFI report and pleadings that cannot be shown to constitute a particularly identified, non-speculative harm.” He also challenged Marriott’s argument that disclosing parts of the report could jeopardize ongoing investigations into the breach, concluding “the record before me fails to do so.”
Labaton had filed its motion to unseal the documents in mid-August.