National Amusements theater chain to pay $250,000 for failing to protect employees from data breach, AG says

A Massachusetts-based company that operates movie theaters on Long Island and in the Bronx has agreed to pay $250,000 for failing to protect former and current employees personal information, New York Attorney General Letitia James announced on Friday.

The attorney general’s investigation found that National Amusements Inc. failed to install adequate cybersecurity infrastructure, which led to a data breach that left the personal data of more than 23,000 former and current New York employees vulnerable, James said.

The investigation also revealed that the company did not tell affected employees about the data breach for more than a year, a violation of the New HYork Shield Act, James said. In addition to paying $250,000, National Amusement also agreed to improve its cybersecurity infrastructure to prevent further breaches.

"No worker should have their Social Security and personal information stolen because their employer failed to protect them," James said. "Today’s agreement will strengthen National Amusements’ cybersecurity so that employees in New York and around the country can rest assured that their private information is protected."

An attorney general’s spokesman did not know which Long Island theaters may have been impacted by the data breach.

A spokeswoman for National Amusements, which is based in Norwood, Massachusetts, did not return requests for comment.

National Amusement, which operates a global chain of movie theaters, was told about suspicious activity and possible malware in its systems in December 2022, James said. National Amusement did not report the breach for more than a year to its workers.

The company did disable internet access to their systems, reset users’ passwords, and launched an investigation into the data breach. The investigation found that a hacker stole an employee’s credential to infiltrate National Amusements’ systems. The company had multifactor authentication in place. But it was not enforced for certain channels, helping the hacker gain access, James said.

More than 82,000 employees were affected, including 23,365 New York residents. Information exposed during the breach included names, dates of birth, Social Security numbers, passport numbers and financial account numbers.

National Amusements, according to James, said that moviegoers were not impacted by the breach and only the data of employees and contractors was exposed.

In addition to paying $250,000 to New York State, National Amusements also agreed to take several steps to protect employee’s personal data, James said.