November 15, 2024

NEW YORK - New York Attorney General Letitia James today secured $250,000 from a global movie theater operator, National Amusements, Inc. (National Amusements), that operates movie theaters in the Bronx and on Long Island for failing to protect their former and current employees and contractors' personal information. An investigation by the Office of the Attorney General (OAG) determined that National Amusements failed to implement strong data security, which left it vulnerable to a data breach that compromised the information of more than 23,000 New York employees. The OAG's investigation also revealed that the company delayed telling affected employees of the breach for more than a year, in violation of the New York Shield Act. As a result of today's agreement, National Amusements has agreed to pay $250,000 in penalties to New York and update and improve their cybersecurity infrastructure to protect employee data.

"No worker should have their social security and personal information stolen because their employer failed to protect them," said Attorney General James. "Today's agreement will strengthen National Amusements' cybersecurity so that employees in New York and around the country can rest assured that their private information is protected. I urge all companies to follow the guidance from my office to better secure their systems to protect private information and data."

National Amusements operates a chain of movie theaters globally, including in the Bronx and on Long Island. In December 2022, National Amusements was alerted by a vendor to suspicious activity and possible malware in their systems. Upon learning of the incident, National Amusements disabled internet access to their systems, reset all users' passwords, and launched an investigation into the data breach incident. The investigation determined that the hacker stole an employee's credentials to infiltrate National Amusements' systems. Although National Amusements had multifactor authentication (MFA) in place, MFA was not enforced for certain channels, helping the hacker gain access.

The breach affected a total of 82,128 individuals, of which 23,365 were New York residents. Information that was exposed by this breach included name, date of birth, social security number, passport number, financial account number, driver's license number, and health insurance account number. The OAG's investigation determined that National Amusements failed to notify employees of the breach in a timely manner and waited more than a year to tell affected individuals.

National Amusements maintains that consumers who visited any one of their movie theaters were not impacted by this incident and that the breach was limited to the personal information of former and current employees and contractors.

As a result of today's agreement, National Amusements will pay New York $250,000 in penalties and adopt a series of measures to strengthen its cybersecurity practices going forward, including:

• Maintaining a comprehensive information security program designed to protect the security, confidentiality, and integrity of private information;
• Encrypting all personal information, whether stored or transmitted;
• Maintaining reasonable password policies that require the use of complex passwords, password rotation, and ensuring that stored passwords are protected for unauthorized access;
• Maintaining a reasonable testing program designed to identify, assess, and resolve security vulnerabilities within the computer systems; and
• Establishing, implementing, and maintaining an incident response plan for potential data security issues.

Attorney General James has taken several actions to hold companies accountable for having poor cybersecurity and to improve data security practices. In October 2024, Attorney General James secured $2.25 million from a Capital Region health care provider for failing to protect the private information and medical data of New Yorkers.

In August 2024, Attorney General James and a multistate coalition secured $4.5 from a biotech company for failing to protect patient data. In July, Attorney General James launched two privacy guides, a Business Guide to Website Privacy Controls and a Consumer Guide to Tracking on the Web, to help businesses and consumers protect themselves. In July, Attorney General James also issued a consumer alert to raise awareness about free credit monitoring and identity theft protection services available for millions of consumers impacted by the Change Healthcare data breach. In April 2023, Attorney General James released a comprehensive data security guide to help companies strengthen their data security practices. In January 2022, Attorney General James released a business guide for credential stuffing attacks that detailed how businesses could protect themselves and consumers.

This matter was handled by Deputy Bureau Chief Clark Russell, under the supervision of Bureau Chief Kim Berger of the Bureau of Internet and Technology. The Bureau of Internet and Technology is a part of the Division for Economic Justice, which is led by Chief Deputy Attorney General Chris D'Angelo. The Division of Economic Justice is overseen by First Deputy Attorney General Jennifer Levy.