New York Attorney General Letitia James announced today that National Amusements, Inc., a global movie theater operator, will pay $250,000 in penalties for failing to protect the personal information of its employees and contractors. The breach, which affected over 23,000 New York residents, exposed sensitive data such as Social Security numbers, financial information, and health insurance details.
National Amusements, which operates theaters under the Showcase Cinemas brand in the Bronx and on Long Island, was found to have inadequate cybersecurity measures in place, leaving the company vulnerable to a data breach. The breach, which occurred in late 2022, was triggered by the theft of an employee’s credentials, allowing a hacker to infiltrate the company’s systems.
The Office of the Attorney General (OAG) found that while National Amusements had implemented multi-factor authentication (MFA) for certain systems, it failed to enforce MFA across all channels, allowing the hacker to bypass security controls. The breach compromised the personal information of 82,128 individuals, including 23,365 New Yorkers. Affected individuals had their personal details, including names, birthdates, Social Security numbers, and financial account numbers exposed.
In addition to the financial penalty, National Amusements has agreed to enhance its cybersecurity infrastructure and adopt a series of new measures to safeguard sensitive data going forward. These measures include encrypting all personal information, implementing stronger password policies, and establishing a more rigorous testing program to identify potential security vulnerabilities.
Attorney General James expressed concern over the breach, emphasizing the importance of companies protecting workers’ personal data. “No worker should have their social security and personal information stolen because their employer failed to protect them,” said James. “Today’s agreement will strengthen National Amusements’ cybersecurity so that employees in New York and across the country can rest assured that their private information is protected.”
National Amusements, which is privately held and controlled by the Redstone family, including Shari Redstone after her father Sumner Redstone’s passing in 2020, operates theaters internationally and is also the controlling shareholder of Paramount Global (formerly Viacom CBS).
While the breach did not affect customer data from moviegoers, the company faced criticism for waiting over a year to notify employees of the breach, in violation of the New York SHIELD Act, which mandates timely notifications for data breaches affecting state residents.
Under the terms of the settlement, National Amusements will also be required to implement an incident response plan to better manage future data security issues and ensure swift action if another breach occurs.
The Attorney General’s office urged all companies to take the necessary steps to secure their systems and protect sensitive data, particularly as cybersecurity threats continue to rise.
