New York Attorney General Letitia James recently secured $250,000 from a global movie theater operator, National Amusements, Inc. (National Amusements), that operates movie theaters in the Bronx and on Long Island for failing to protect their former and current employees and contractors’ personal information.
An investigation by the Office of the Attorney General (OAG) determined that National Amusements failed to implement strong data security, which left it vulnerable to a data breach that compromised the information of more than 23,000 New York employees. The OAG’s investigation also revealed that the company delayed telling affected employees of the breach for more than a year, in violation of the New York Shield Act.
National Amusements operates a chain of movie theaters globally, including in the Bronx and on Long Island. Some of the Long Island theaters include Showcase Cinema de Lux Broadway in Hicksville, the Showcase Cinema de Lux in Farmingdale and the Island 16 Cinema de Lux in Holtsville.
In December 2022, National Amusements was alerted by a vendor to suspicious activity and possible malware in their systems. Upon learning of the incident, National Amusements disabled internet access to their systems, reset all users’ passwords, and launched an investigation into the data breach incident. The investigation determined that the hacker stole an employee’s credentials to infiltrate National Amusements’ systems. Although National Amusements had multifactor authentication (MFA) in place, MFA was not enforced for certain channels, helping the hacker gain access.
The breach affected a total of 82,128 individuals, of which 23,365 were New York residents. Information that was exposed by this breach included name, date of birth, social security number, passport number, financial account number, driver’s license number, and health insurance account number. The OAG’s investigation determined that National Amusements failed to notify employees of the breach in a timely manner and waited more than a year to tell affected individuals.
National Amusements maintains that consumers who visited any one of their movie theaters were not impacted by this incident and that the breach was limited to the personal information of former and current employees and contractors.
As a result of the agreement, National Amusements will pay New York $250,000 in penalties and adopt a series of measures to strengthen its cybersecurity practices going forward, including:
- Maintaining a comprehensive information security program designed to protect the security, confidentiality, and integrity of private information;
- Encrypting all personal information, whether stored or transmitted;
- Maintaining reasonable password policies that require the use of complex passwords, password rotation, and ensuring that stored passwords are protected for unauthorized access;
- Maintaining a reasonable testing program designed to identify, assess, and resolve security vulnerabilities within the computer systems; and
- Establishing, implementing, and maintaining an incident response plan for potential data security issues.
“No worker should have their social security and personal information stolen because their employer failed to protect them,” James said. “Today’s agreement will strengthen National Amusements’ cybersecurity so that employees in New York and around the country can rest assured that their private information is protected. I urge all companies to follow the guidance from my office to better secure their systems to protect private information and data.”
Long Island Life & Politics reached out to National Amusements and is awaiting a reply.