Marriott hit by London lawsuit over one of biggest data breaches in history

Michael Cogley
·3 min read
W Dubai - The Palm. Marriott International Hotel  -  RALF TOOTEN
W Dubai - The Palm. Marriott International Hotel - RALF TOOTEN

Hotel giant Marriott International will face a group legal action in Britain’s High Court over its alleged failure to safeguard the details of millions of customers in one of the largest data breaches in history.

Martin Bryant, founder of  Big Revolution, is leading the action which is seeking compensation for guests that made bookings through the Starwood Hotels Group, which is now part of Marriott.

Hackers allegedly gained access to a host of personal data, including guest names, email addresses, passports, and credit card details in a breach of the hotel chain’s reservation database between 2014 and 2018.

When first disclosing the breach, the hotel firm said the guest records of around 339 million people had been accessed and it believed that more than five million unencrypted passport numbers were part of the information accessed.

Seven million records were said to be related to UK residents.

The breach led to the Information Commissioner’s Office (ICO) announcing its intention to fine the company £99m  under the EU’s General Data Protection Regulation (GDPR) legislation. The regulator’s final fine amount is due to be announced later this year.

High-profile hacks
High-profile hacks

Mr Bryant’s case alleges that the cyber attack was the result of a “failure to take adequate steps to ensure the security of guests’ personal data”. He stated that the failure to do so represented a breach of data protection legislation.

“It’s become a depressingly familiar situation. You get an email from a company telling you that they’ve suffered a data breach and your personal information was stolen,” Mr Bryant said in a blog post published on Wednesday.

“You sigh, you shrug, and then you forget about it – because you’re powerless. You can’t get that personal data back. It might end up being used for identity theft or fraud, and there’s nothing you can do about it.”

Mr Bryant said that if a company suffers a fine for breaking data protection rules there was “little incentive” for anything to change.

“But if the company becomes accountable to the customers whose data they lost, it’s a different matter,” he said.

The group action represents everyone resident in England and Wales whose data was stolen during the breach, despite where they stayed.

Customers that stayed at brands like W Hotels, St Regis, Sheraton Hotels and Resorts, and Westin Hotels and Resorts, will automatically be included in the group action unless they opt out.

The action is being backed by litigation funder Harbour with law firm Hausfeld taking proceedings.

UK director of Orange Cyberdefense Stuart Reed said that the legal action should act as a “wake-up call” to organisations of all sizes.

“It is now very clear the consequence of poor cybersecurity is no longer just damage to intangible items such as brand reputation,” he said.

“Organisations are now faced with direct legal and financial consequences if they are unable to demonstrate a mature approach to cybersecurity. These penalties that are now being inflicted without hesitation.”

Cybersecurity specialist at ESET Jake Moore said that personal data had "never been so valuable".

"Customers have every right to go after companies who lose their data," he said. "Cases like this raise awareness in the proceedings, forcing other firms at risk to take better care of their data."

Marriott had yet to respond at the time of writing. It also faces a number of lawsuits filed by former guests in the US and in the Canadian courts.

The ICO announced its intention to fine Marriott in July 2019, a day after it unveiled a record intention to fine British Airways £183.39m for breaches of data protection law.