Mar­riott faces le­gal ac­tion af­ter hack­ers zero-in on guests

The Daily Telegraph - Business - - Business - By Michael Cogley

HO­TEL gi­ant Mar­riott In­ter­na­tional will face a group le­gal ac­tion in Bri­tain’s High Court over its al­leged fail­ure to safe­guard the de­tails of mil­lions of cus­tomers in one of the largest data breaches in his­tory.

Martin Bryant, founder of Big Revo­lu­tion, is lead­ing the ac­tion which is seek­ing com­pen­sa­tion for guests that made book­ings through the Star­wood Ho­tels Group, which is now part of Mar­riott.

Hack­ers al­legedly gained ac­cess to a host of per­sonal data, in­clud­ing guest names, email ad­dresses, pass­ports, and credit card de­tails in a breach of the ho­tel chain’s reser­va­tion data­base be­tween 2014 and 2018. When first dis­clos­ing the breach, the ho­tel firm said the guest records of around 339m peo­ple had been ac­cessed and it be­lieved that more than five mil­lion un­en­crypted pass­port num­bers were part of the in­for­ma­tion ac­cessed.

Seven mil­lion records were said to be re­lated to UK res­i­dents.

The breach led to the In­for­ma­tion Com­mis­sioner’s Of­fice (ICO) an­nounc­ing its in­ten­tion to fine the com­pany £99m un­der the EU’s Gen­eral Data Pro­tec­tion Reg­u­la­tion (GDPR) leg­is­la­tion. The reg­u­la­tor’s fi­nal fine amount is due to be an­nounced later this year.

Mr Bryant’s case al­leges that the cy­ber at­tack was the re­sult of a “fail­ure to take ad­e­quate steps to en­sure the se­cu­rity of guests’ per­sonal data”. He stated that the fail­ure to do so rep­re­sented a breach of data pro­tec­tion leg­is­la­tion.

“It’s be­come a de­press­ingly fa­mil­iar sit­u­a­tion. You get an email from a com­pany telling you that they’ve suf­fered a data breach and your per­sonal in­for­ma­tion was stolen,” Mr Bryant said in a blog post pub­lished yes­ter­day.

“You sigh, you shrug, and then you for­get about it – be­cause you’re pow­er­less. You can’t get that per­sonal data back. It might end up be­ing used for iden­tity theft or fraud, and there’s noth­ing you can do about it.”

Mr Bryant said that if a com­pany suf­fers a fine for break­ing data pro­tec­tion rules there was “lit­tle in­cen­tive” for any­thing to change. “But if the com­pany be­comes ac­count­able to the cus­tomers whose data they lost, it’s a dif­fer­ent mat­ter,” he said.

The group ac­tion rep­re­sents ev­ery­one res­i­dent in Eng­land and Wales whose data was stolen dur­ing the breach, de­spite where they stayed.

Cus­tomers that stayed at brands like W Ho­tels, St Regis, Sher­a­ton Ho­tels and Re­sorts, and Westin Ho­tels and Re­sorts, will au­to­mat­i­cally be in­cluded.

The ac­tion is be­ing backed by lit­i­ga­tion fun­der Har­bour with law firm Haus­feld tak­ing pro­ceed­ings. Mar­riott had yet to re­spond at the time of pub­li­ca­tion.

UK direc­tor of Or­ange Cy­berde­fense Stu­art Reed said that the le­gal ac­tion should act as a “wake-up call”.

Ho­tel gi­ant Mar­riott In­ter­na­tional, in­clud­ing its other brands such as the Westin Europa Regina in Venice, faces le­gal ac­tion af­ter many of its cus­tomers had their data breached

Newspapers in English

Newspapers from UK

© PressReader. All rights reserved.