DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Attorney General James Secures $250,000 from Movie Theater Operator for Failing to Protect Employees’ Personal Information

Posted on November 15, 2024 by Dissent

NEW YORK – New York Attorney General Letitia James today secured $250,000 from a global movie theater operator, National Amusements, Inc. (National Amusements), that operates movie theaters in the Bronx and on Long Island for failing to protect their former and current employees and contractors’ personal information. An investigation by the Office of the Attorney General (OAG) determined that National Amusements failed to implement strong data security, which left it vulnerable to a data breach that compromised the information of more than 23,000 New York employees. The OAG’s investigation also revealed that the company delayed telling affected employees of the breach for more than a year, in violation of the New York Shield Act. As a result of today’s agreement, National Amusements has agreed to pay $250,000 in penalties to New York and update and improve their cybersecurity infrastructure to protect employee data.

“No worker should have their social security and personal information stolen because their employer failed to protect them,” said Attorney General James. “Today’s agreement will strengthen National Amusements’ cybersecurity so that employees in New York and around the country can rest assured that their private information is protected. I urge all companies to follow the guidance from my office to better secure their systems to protect private information and data.”

National Amusements operates a chain of movie theaters globally, including in the Bronx and on Long Island. In December 2022, National Amusements was alerted by a vendor to suspicious activity and possible malware in their systems. Upon learning of the incident, National Amusements disabled internet access to their systems, reset all users’ passwords, and launched an investigation into the data breach incident. The investigation determined that the hacker stole an employee’s credentials to infiltrate National Amusements’ systems. Although National Amusements had multifactor authentication (MFA) in place, MFA was not enforced for certain channels, helping the hacker gain access.

The breach affected a total of 82,128 individuals, of which 23,365 were New York residents. Information that was exposed by this breach included name, date of birth, social security number, passport number, financial account number, driver’s license number, and health insurance account number. The OAG’s investigation determined that National Amusements failed to notify employees of the breach in a timely manner and waited more than a year to tell affected individuals.

National Amusements maintains that consumers who visited any one of their movie theaters were not impacted by this incident and that the breach was limited to the personal information of former and current employees and contractors.

As a result of today’s agreement, National Amusements will pay New York $250,000 in penalties and adopt a series of measures to strengthen its cybersecurity practices going forward, including:

  • Maintaining a comprehensive information security program designed to protect the security, confidentiality, and integrity of private information;
  • Encrypting all personal information, whether stored or transmitted;
  • Maintaining reasonable password policies that require the use of complex passwords, password rotation, and ensuring that stored passwords are protected for unauthorized access;
  • Maintaining a reasonable testing program designed to identify, assess, and resolve security vulnerabilities within the computer systems; and
  • Establishing, implementing, and maintaining an incident response plan for potential data security issues.

Attorney General James has taken several actions to hold companies accountable for having poor cybersecurity and to improve data security practices. In October 2024, Attorney General James secured $2.25 million from a Capital Region health care provider for failing to protect the private information and medical data of New Yorkers.

In August 2024, Attorney General James and a multistate coalition secured $4.5 from a biotech company for failing to protect patient data. In July, Attorney General James launched two privacy guides, a Business Guide to Website Privacy Controls and a Consumer Guide to Tracking on the Web, to help businesses and consumers protect themselves. In July, Attorney General James also issued a consumer alert to raise awareness about free credit monitoring and identity theft protection services available for millions of consumers impacted by the Change Healthcare data breach. In April 2023, Attorney General James released a comprehensive data security guide to help companies strengthen their data security practices. In January 2022, Attorney General James released a business guide for credential stuffing attacks that detailed how businesses could protect themselves and consumers.

This matter was handled by Deputy Bureau Chief Clark Russell, under the supervision of Bureau Chief Kim Berger of the Bureau of Internet and Technology. The Bureau of Internet and Technology is a part of the Division for Economic Justice, which is led by Chief Deputy Attorney General Chris D’Angelo. The Division of Economic Justice is overseen by First Deputy Attorney General Jennifer Levy.

Source: NYS Attorney General Letitia James

Category: Business SectorMalwareU.S.

Post navigation

← Patients at center of data breach case win $65M settlement against Lehigh Valley Health Network
Turkey fines Amazon’s Twitch 2 million lira for data breach →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Akira doesn’t keep its promises to victims — SuspectFile
  • Fraudsters, murderers, students: who the GRU assembled a team of hacker provocateurs from and why it failed
  • Order of Psychologists of Lombardy fined 30,000 € for inadequate data security protection and detection following ransomware attack
  • Lower Merion School District says a data breach was caused by a computer glitch
  • After $1 Million Ransom Demand, Virgin Islands Lottery Restores Operations Without Paying Hackers
  • Junior Defence Contractor Arrested For Leaking Indian Naval Secrets To Suspected Pakistani Spies
  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million
  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Stewart Baker vs. Orin Kerr on “The Digital Fourth Amendment”
  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.