In a significant move to reinforce digital data protection, New York Attorney General Letitia James announced a settlement in which National Amusements, Inc.—a major operator of movie theaters, including venues in the Bronx and on Long Island—will pay $250,000 for failing to adequately protect its workers' personal information. According to the New York State Attorney General's Office, an investigation revealed the company’s lax approach to cybersecurity, which directly resulted in a data breach impacting more than 23,000 employees in New York.
The inquiry found that National Amusements miserably failed to promptly inform affected personnel of the breach, waiting over a year to do so and thus violating the New York Shield Act. "No worker should have their social security and personal information stolen because their employer failed to protect them," said Attorney General James in a statement obtained by the official press release. The settlement mandates National Amusements to not only pay the agreed sum to the state of New York but also to drastically improve their cybersecurity infrastructure to better safeguard employee data in the future.
National Amusements discovered the breach in December 2022 after a vendor alerted the company to suspicious activity, which was later linked to a hacker exploiting stolen employee credentials. Despite having Multifactor Authentication (MFA) measures in place, they were not enforced on certain channels, thereby simplifying the attacker's infiltration efforts. The breach had wide-reaching effects, compromising sensitive data such as names, birthdates, social security, passport and driver's license numbers, as well as financial and health insurance information of over 82,000 individuals nationwide, including those 23,365 residing in New York.
Following the settlement, National Amusements assured their customers that moviegoers visiting their theaters were not affected by this breach, clarifying it was confined to former and current employees and contractors. To amend its security protocols, the company has agreed to undertake several measures, including initiating a comprehensive infosec program and maintaining stringent password policies to effectively guard against unauthorized access. Moreover, as part of the initiative to bolster defenses against future cyber threats, they will establish a rigorous testing program designed to identify and resolve systemic vulnerabilities.
This latest development adds to a series of actions by Attorney General James to hold companies accountable for cybersecurity failures and strengthen data protection standards across industries. Earlier this year, James' office also released preventive guides and alerts aimed at helping businesses and consumers navigate cyber risks. This particular case was managed by Deputy Bureau Chief Clark Russell and Bureau Chief Kim Berger from the OAG's Bureau of Internet and Technology, a division focused on rooting out economic injustices tied to technological malpractices.
