According to an employee who recently filed a report with the Federal Trade Commission and a separate alert to the California Attorney General’s Office, The Lot movie theater company experienced a ransomware attack in early October 2023 that compromised its central servers, including those containing sensitive consumer and employee information. The employee alleges that a ransom was paid to resolve the matter and that the incident was handled internally without informing regulators or the public, in potential violation of state and federal data breach notification laws.
The allegations follow the mysterious October 6, 2023 system-wide closure of all four The Lot locations - La Jolla, Liberty Station, Newport Beach, and San Ramon - which the company attributed at the time to a "system-wide outage." The company's website was down for an extended period, and no specific cause was ever publicly confirmed. Despite requests for comment during the shutdown, The Lot declined to provide further detail and was cryptic in its announcements. Speculation at the time ranged from financial distress to cyberattack, but no confirmation was offered.
"Dear Guests," read an email sent from The Lot in October 2023. "We regret to inform you that our systems are currently down. We are working diligently to resolve the issue and will provide an update as soon as possible. We will remain closed until further notice. If you have purchased tickets, we will refund and/or exchange tickets for future dates. We appreciate your understanding & apologize for the inconvenience."
The Lot eventually reopened on October 12, 2023, after approximately a week closed due to the incident. The timing was important because planned showings of Taylor Swift's hugely anticipated concert film, the "Eras Tour", were to start on October 13, and tickets were sold out a month in advance. When the theaters reopened, they did not initially offer digital credit card processing.
Text messages from that period, reviewed by this publication, show that The Lot's management instructed employees not to open any emails from Lot-related accounts and to avoid using the company's on-site Wi-Fi - a directive consistent with standard responses to active ransomware incidents. These messages add weight to the claims that a cyberattack may have been the true cause of the system-wide disruption.
Under California law, businesses are required to notify any California resident whose unencrypted personal information is believed to have been acquired by an unauthorized party. This requirement falls under California Civil Code § 1798.82, which mandates that notice must be made "in the most expedient time possible and without unreasonable delay." If more than 500 California residents are affected, the business must also notify the California Attorney General.
Furthermore, the California Consumer Privacy Act (CCPA) and its expanded version, the California Privacy Rights Act (CPRA), place additional obligations on companies that collect and process personal data. These laws require companies to implement reasonable security procedures and disclose breaches of sensitive personal data. Noncompliance may lead to civil penalties or enforcement action by the California Privacy Protection Agency.
Text messages from that period, reviewed by this publication, show that The Lot's management instructed employees not to open any emails from Lot-related accounts and to avoid using the company's on-site Wi-Fi - a directive consistent with standard responses to active ransomware incidents. These messages add weight to the claims that a cyberattack may have been the true cause of the system-wide disruption.
Under California law, businesses are required to notify any California resident whose unencrypted personal information is believed to have been acquired by an unauthorized party. This requirement falls under California Civil Code § 1798.82, which mandates that notice must be made "in the most expedient time possible and without unreasonable delay." If more than 500 California residents are affected, the business must also notify the California Attorney General.
Furthermore, the California Consumer Privacy Act (CCPA) and its expanded version, the California Privacy Rights Act (CPRA), place additional obligations on companies that collect and process personal data. These laws require companies to implement reasonable security procedures and disclose breaches of sensitive personal data. Noncompliance may lead to civil penalties or enforcement action by the California Privacy Protection Agency.
On the federal level, while there is no singular national data breach notification law, the Federal Trade Commission (FTC) has authority under Section 5 of the FTC Act to investigate unfair or deceptive practices. If a company fails to adequately protect consumer data or misrepresents how it handles breaches - for example, describing a ransomware attack as a generic "system outage" - it may be subject to investigation and sanctions.
If the new claims prove accurate, The Lot may face scrutiny from both state and federal regulators. Failing to disclose a data breach not only violates the public trust but also could expose the company to substantial legal and financial penalties, particularly for a hospitality brand built on exclusivity and customer service.
Founded in 2015, The Lot quickly became known for its upscale cinema-and-dining model. The brand expanded rapidly, positioning itself as a high-end alternative to traditional theaters with curated menus, full bars, and events. The company was created by former executives involved with Cinépolis Luxury Cinemas, including La Jolla-based developer Adolfo Fastlicht. We reached out to Fastlicht for comment and more information but did not receive a response.
For more information about The Lot, visit thelotent.com.
If the new claims prove accurate, The Lot may face scrutiny from both state and federal regulators. Failing to disclose a data breach not only violates the public trust but also could expose the company to substantial legal and financial penalties, particularly for a hospitality brand built on exclusivity and customer service.
Founded in 2015, The Lot quickly became known for its upscale cinema-and-dining model. The brand expanded rapidly, positioning itself as a high-end alternative to traditional theaters with curated menus, full bars, and events. The company was created by former executives involved with Cinépolis Luxury Cinemas, including La Jolla-based developer Adolfo Fastlicht. We reached out to Fastlicht for comment and more information but did not receive a response.
For more information about The Lot, visit thelotent.com.
Originally published on May 4, 2025.