On May 3, lawyers for victims of Marriott’s 2018 cyberattack scored a victory that’s practically unheard of in data breach cases: class certification.

U.S. District Judge Paul Grimm of the District of Maryland’s ruling allows subclasses of Marriott guests to pursue claims that they overpaid for their hotel reservations. Amy Keller, one of three lead plaintiffs’ lawyers in the case, said Grimm’s order dispelled the growing mantra from corporate defendants that victims can’t prove exactly whose cyberattack compromised their personal information.