Attorney General James Secures 250000 from Movie Theater Operator for Failing to Protect Employees Personal Information

pNEW YORK New York Attorney General Letitia James today secured 250000 from a global movie theater operator National Amusements Inc National Amusements that operates movie theaters in the Bronx and on Long Island for failing to protect their former and current employees and contractors personal information An investigation by the Office of the Attorney General OAG determined that National Amusements failed to implement strong data security which left it vulnerable to a data breach that compromised the information of more than 23000 New York employees The OAGs investigation also revealed that the company delayed telling affected employees of the breach for more than a year in violation of the New York Shield Act As a result of todays agreement National Amusements has agreed to pay 250000 in penalties to New York and update and improve their cybersecurity infrastructure to protect employee data ppNo worker should have their social security and personal information stolen because their employer failed to protect them said Attorney General James Todays agreement will strengthen National Amusements cybersecurity so that employees in New York and around the country can rest assured that their private information is protected I urge all companies to follow the guidance from my office to better secure their systems to protect private information and datappNational Amusements operates a chain of movie theaters globally including in the Bronx and on Long Island In December 2022 National Amusements was alerted by a vendor to suspicious activity and possible malware in their systems Upon learning of the incident National Amusements disabled internet access to their systems reset all users passwords and launched an investigation into the data breach incident The investigation determined that the hacker stole an employees credentials to infiltrate National Amusements systems Although National Amusements had multifactor authentication MFA in place MFA was not enforced for certain channels helping the hacker gain access ppThe breach affected a total of 82128 individuals of which 23365 were New York residents Information that was exposed by this breach included name date of birth social security number passport number financial account number drivers license number and health insurance account number The OAGs investigation determined that National Amusements failed to notify employees of the breach in a timely manner and waited more than a year to tell affected individuals ppNational Amusements maintains that consumers who visited any one of their movie theaters were not impacted by this incident and that the breach was limited to the personal information of former and current employees and contractors ppAs a result of todays agreement National Amusements will pay New York 250000 in penalties and adopt a series of measures to strengthen its cybersecurity practices going forward includingppAttorney General James has taken several actions to hold companies accountable for having poor cybersecurity and to improve data security practices In October 2024 Attorney General James secured 225 million from a Capital Region health care provider for failing to protect the private information and medical data of New YorkersppIn August 2024 Attorney General James and a multistate coalition secured 45 from a biotech company for failing to protect patient data In July Attorney General James launched two privacy guides a Business Guide to Website Privacy Controls and a Consumer Guide to Tracking on the Web to help businesses and consumers protect themselves In July Attorney General James also issued a consumer alert to raise awareness about free credit monitoring and identity theft protection services available for millions of consumers impacted by the Change Healthcare data breach In April 2023 Attorney General James released a comprehensive data security guide to help companies strengthen their data security practices In January 2022 Attorney General James released a business guide for credential stuffing attacks that detailed how businesses could protect themselves and consumersppThis matter was handled by Deputy Bureau Chief Clark Russell under the supervision of Bureau Chief Kim Berger of the Bureau of Internet and Technology The Bureau of Internet and Technology is a part of the Division for Economic Justice which is led by Chief Deputy Attorney General Chris DAngelo The Division of Economic Justice is overseen by First Deputy Attorney General Jennifer Levy ppWe value your privacyWe use cookies to enhance your browsing experience improve our content delivery and analyze our traffic We do not use cookies for advertising or marketing purposes By using this website you consent to our use of cookies You can learn more about how we collect and use information by reviewing our privacy policyp