DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Attorney General James Secures $250,000 from Movie Theater Operator for Failing to Protect Employees’ Personal Information

Posted on November 15, 2024 by Dissent

NEW YORK – New York Attorney General Letitia James today secured $250,000 from a global movie theater operator, National Amusements, Inc. (National Amusements), that operates movie theaters in the Bronx and on Long Island for failing to protect their former and current employees and contractors’ personal information. An investigation by the Office of the Attorney General (OAG) determined that National Amusements failed to implement strong data security, which left it vulnerable to a data breach that compromised the information of more than 23,000 New York employees. The OAG’s investigation also revealed that the company delayed telling affected employees of the breach for more than a year, in violation of the New York Shield Act. As a result of today’s agreement, National Amusements has agreed to pay $250,000 in penalties to New York and update and improve their cybersecurity infrastructure to protect employee data.

“No worker should have their social security and personal information stolen because their employer failed to protect them,” said Attorney General James. “Today’s agreement will strengthen National Amusements’ cybersecurity so that employees in New York and around the country can rest assured that their private information is protected. I urge all companies to follow the guidance from my office to better secure their systems to protect private information and data.”

National Amusements operates a chain of movie theaters globally, including in the Bronx and on Long Island. In December 2022, National Amusements was alerted by a vendor to suspicious activity and possible malware in their systems. Upon learning of the incident, National Amusements disabled internet access to their systems, reset all users’ passwords, and launched an investigation into the data breach incident. The investigation determined that the hacker stole an employee’s credentials to infiltrate National Amusements’ systems. Although National Amusements had multifactor authentication (MFA) in place, MFA was not enforced for certain channels, helping the hacker gain access.

The breach affected a total of 82,128 individuals, of which 23,365 were New York residents. Information that was exposed by this breach included name, date of birth, social security number, passport number, financial account number, driver’s license number, and health insurance account number. The OAG’s investigation determined that National Amusements failed to notify employees of the breach in a timely manner and waited more than a year to tell affected individuals.

National Amusements maintains that consumers who visited any one of their movie theaters were not impacted by this incident and that the breach was limited to the personal information of former and current employees and contractors.

As a result of today’s agreement, National Amusements will pay New York $250,000 in penalties and adopt a series of measures to strengthen its cybersecurity practices going forward, including:

  • Maintaining a comprehensive information security program designed to protect the security, confidentiality, and integrity of private information;
  • Encrypting all personal information, whether stored or transmitted;
  • Maintaining reasonable password policies that require the use of complex passwords, password rotation, and ensuring that stored passwords are protected for unauthorized access;
  • Maintaining a reasonable testing program designed to identify, assess, and resolve security vulnerabilities within the computer systems; and
  • Establishing, implementing, and maintaining an incident response plan for potential data security issues.

Attorney General James has taken several actions to hold companies accountable for having poor cybersecurity and to improve data security practices. In October 2024, Attorney General James secured $2.25 million from a Capital Region health care provider for failing to protect the private information and medical data of New Yorkers.

In August 2024, Attorney General James and a multistate coalition secured $4.5 from a biotech company for failing to protect patient data. In July, Attorney General James launched two privacy guides, a Business Guide to Website Privacy Controls and a Consumer Guide to Tracking on the Web, to help businesses and consumers protect themselves. In July, Attorney General James also issued a consumer alert to raise awareness about free credit monitoring and identity theft protection services available for millions of consumers impacted by the Change Healthcare data breach. In April 2023, Attorney General James released a comprehensive data security guide to help companies strengthen their data security practices. In January 2022, Attorney General James released a business guide for credential stuffing attacks that detailed how businesses could protect themselves and consumers.

This matter was handled by Deputy Bureau Chief Clark Russell, under the supervision of Bureau Chief Kim Berger of the Bureau of Internet and Technology. The Bureau of Internet and Technology is a part of the Division for Economic Justice, which is led by Chief Deputy Attorney General Chris D’Angelo. The Division of Economic Justice is overseen by First Deputy Attorney General Jennifer Levy.

Source: NYS Attorney General Letitia James

Category: Business SectorMalwareU.S.

Post navigation

← Patients at center of data breach case win $65M settlement against Lehigh Valley Health Network
Turkey fines Amazon’s Twitch 2 million lira for data breach →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • A state forensics lab was leaking its files. Getting it locked down involved a number of people.
  • CoinMarketCap Hacked, Scrambles to Remove Malicious Wallet Verification Popup
  • Montana Attorney General launches investigation into Lee Enterprises data breach
  • AT&T gets preliminary approval for $177 million data breach settlement
  • Aflac notifies SEC of breach suspected to be work of Scattered Spider
  • Former JBLM soldier pleads guilty to attempting to share military secrets with China
  • No, the 16 billion credentials leak is not a new data breach — a wake-up call about fake news (Updated)
  • Tonga’s health system hit by cyberattack (1)
  • Russia Expert Falls Prey to Elite Hackers Disguised as US Officials
  • Proposed class action settlement in In re Netgain Technology litigation

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill
  • Officials defend Liberal bill that would force hospitals, banks, hotels to hand over data
  • US Judge Invalidates Biden Rule Protecting Privacy for Abortions
  • DOJ’s Data Security Program: Key Compliance Considerations for Impacted Entities
  • 23andMe fined £2.31 million for failing to protect UK users’ genetic data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.