Marriott faces legal action after hackers zero-in on guests
HOTEL giant Marriott International will face a group legal action in Britain’s High Court over its alleged failure to safeguard the details of millions of customers in one of the largest data breaches in history.
Martin Bryant, founder of Big Revolution, is leading the action which is seeking compensation for guests that made bookings through the Starwood Hotels Group, which is now part of Marriott.
Hackers allegedly gained access to a host of personal data, including guest names, email addresses, passports, and credit card details in a breach of the hotel chain’s reservation database between 2014 and 2018. When first disclosing the breach, the hotel firm said the guest records of around 339m people had been accessed and it believed that more than five million unencrypted passport numbers were part of the information accessed.
Seven million records were said to be related to UK residents.
The breach led to the Information Commissioner’s Office (ICO) announcing its intention to fine the company £99m under the EU’s General Data Protection Regulation (GDPR) legislation. The regulator’s final fine amount is due to be announced later this year.
Mr Bryant’s case alleges that the cyber attack was the result of a “failure to take adequate steps to ensure the security of guests’ personal data”. He stated that the failure to do so represented a breach of data protection legislation.
“It’s become a depressingly familiar situation. You get an email from a company telling you that they’ve suffered a data breach and your personal information was stolen,” Mr Bryant said in a blog post published yesterday.
“You sigh, you shrug, and then you forget about it – because you’re powerless. You can’t get that personal data back. It might end up being used for identity theft or fraud, and there’s nothing you can do about it.”
Mr Bryant said that if a company suffers a fine for breaking data protection rules there was “little incentive” for anything to change. “But if the company becomes accountable to the customers whose data they lost, it’s a different matter,” he said.
The group action represents everyone resident in England and Wales whose data was stolen during the breach, despite where they stayed.
Customers that stayed at brands like W Hotels, St Regis, Sheraton Hotels and Resorts, and Westin Hotels and Resorts, will automatically be included.
The action is being backed by litigation funder Harbour with law firm Hausfeld taking proceedings. Marriott had yet to respond at the time of publication.
UK director of Orange Cyberdefense Stuart Reed said that the legal action should act as a “wake-up call”.
Hotel giant Marriott International, including its other brands such as the Westin Europa Regina in Venice, faces legal action after many of its customers had their data breached