Marriot International is facing a group action in London on behalf of millions of hotel guests that want compensation for lost personal data in one of the world’s biggest data breaches ever.
The collective action has been filed by Martin Bryant, who runs a tech and media consultancy firm, in the UK’s High Court.
The action seeks compensation on behalf of hotel guests in England and Wales that made reservations at hotel brands within the Starwood/Marriot International Group.
The legal action follows a vulnerability in Marriott’s customer booking system that can be traced to the Starwood Hotels and Resorts Worldwide group, which Marriott International acquired in 2016.
Its booking systems were compromised in 2014 but the breach was only detected in 2018. Guests’ names, email and postal addresses, phone numbers and credit card details were among the data exposed.
Marriott International already faces a £99m (€110m) fine for breaching Europe’s General Data Protection Regulation (GDPR), following the cyberattack.
The fine is due to be handed out by UK data regulator the Information Commissioner’s Office (ICO), which, in line with the GDPR, has taken the lead in the case on behalf of Europe’s other data regulators.
The ICO said the cyberattack exposed the personal data of 339 million Marriott guests globally, including 30 million in Europe and seven million in the UK.
Mr Bryant said the action represents everyone resident in England and Wales whose data was stolen in the Starwood/Marriott breach, wherever in the world they stayed. Law firm Hausfeld is representing claimants.
“This case states that the cyberattack was the result of a failure to take adequate steps to ensure the security of guests’ personal data, and to prevent unauthorised and unlawful processing of that data. That failure was a breach of data protection legislation. This is a serious case,” said Mr Bryant.
Hotel brands where affected guests stayed include W Hotels, St Regis, Sheraton Hotels & Resorts, and Le Meridien.