In one of the few decisions of its kind in a consumer data breach case, a federal judge certified classes of former Marriott guests, allowing potential damages under the theory that guests overpaid for their hotel stays.

U.S. District Judge Paul Grimm on Tuesday certified various classes of consumers impacted by the 2018 breach, which compromised the personal information of 134 million guests who stayed at Starwood Hotels and Resorts Worldwide in the United States. Grimm narrowed the scope of the proposed classes, which he found were “overbroad” because they included those without injuries. But he found that tens of thousands of remaining hotel guests could pursue claims of negligence, consumer fraud and breach of contract, despite continuing to have some individual damages that would need to be calculated.