Filed in federal court in Georgia, by lead plaintiff David Orr, the suit alleges breach of implied contract, negligence and unjust enrichment. Orr claims the U.K.-based hotel chain, which has in excess of 5,000 hotels globally, failed to take adequate steps to prevent the installation of malware on its payment system and failed to detect the security breach.
“IHG’s security failures enabled the hackers to steal plaintiff’s and class members’ private Information from within IHG’s hotels and subsequently make unauthorized purchases on their credit and debit cards,” the complaint states. “The failures also put plaintiff’s and class members’ financial information and interests at serious, immediate and ongoing risk and, additionally, caused costs and expenses to plaintiff and class members attributable to responding, identifying and correcting damages that were reasonably foreseeable as a result of IHG’s willful and negligent conduct.”
According to the complaint, Orr stayed at an IHG Holiday Inn in Biloxi, Mississippi in October, 2016. During his stay he used his debit card to pay for his hotel room. His debit card contained private information, which was exposed due to IHG’s inadequate security.
On February 3, IHG announced that 12 of its locations had been affected by the data hack. Then, in April the company expanded the number of affected locations to over 1,000 and sent a data breach notification letter to affected customers, the suit states.
The suit seeks to represent a class of all consumers who used their credit or debit cards and were affected by the security breach at a hotel and time identified by IHG between September 29 and December 29, 2016.
Orr is represented by David J. Worley and James M. Evangelista of Evangelista Worley LLC. The case is Orr v. InterContinental Hotels Group PLC et al., case number 1:17-cv-01622, in the U.S. District Court for the Northern District of Georgia.