emiliau - Fotolia

Marriott slapped with class action lawsuit over 2018 breach

Group action brings together millions of victims who stayed at the Starwood hotel chain over a four-year period

A former technology journalist is to lead a class action lawsuit against Marriott International, seeking compensation on behalf of millions of hotel guests from England and Wales who fell victim to a data breach at its Starwood Hotels chain.

Half a billion guest records were exposed in the Starwood data breach, which unfolded over a four-year period between July 2014 and September 2018.

The leaked data included names, postal address, phone numbers, email addresses, passport numbers, loyalty programme details, birth dates, gender, reservation information, communication preferences and, in some instances, payment card details.

Marriott, which took over Starwood in 2016, was heavily criticised for failing to take adequate measures to ensure the security of its guests’ data, and to stop unauthorised and illegal processing of it. It has been fined £99m by the UK’s Information Commissioner’s Office (ICO), although this fine is currently being deferred for a number of reasons.

The representative claimant in the action is Martin Bryant – founder of technology and media consultancy Big Revolution and previously editor-in-chief at technology news website The Next Web – who is being represented by law firm Hausfeld.

Bryant and Hausfeld are claiming for loss of control of personal data resulting from Marriott’s breaches of the General Data Protection Regulation (GDPR) and/or its statutory duties under the Data Protection Act (DPA) 1998.

“Personal data is increasingly critical as we live more of our lives online, but as consumers we don’t always realise the risks we are exposed to when our data is compromised through no fault of our own,” said Bryant.

“I hope this case will raise awareness of the value of our personal data, result in fair compensation for those of us who have fallen foul of Marriott’s vast and long-lasting data breach, and also serve notice to other data owners that they must hold our data responsibly.”

Hausfeld partner Michael Bywell added: “Over a period of several years, Marriott International failed to take adequate technical or organisational measures to protect millions of their guests’ personal data which was entrusted to them. Marriott International acted in clear breach of data protection laws specifically put in place to protect data subjects.”

The claim is being brought as a representative action, which means anyone living in England and Wales who made a reservation to stay at a Starwood property before 10 September 2018 will automatically be included in it at no cost or risk to themselves. Further details are available at a claim website set up for the purpose.

ProPrivacy’s Attila Tomascheck commented: “Perhaps, slowly but surely, large corporations are finally starting to be held accountable for ensuring customer data is kept properly secured.

Read more about security at Marriott

  • Both British Airways and Marriott International have had their General Data Protection Regulation fines deferred until later in 2020.
  • Marriott International has egg on its face once again following a second data breach in as many years, but there are encouraging signs in its response that suggest it is at least trying to learn from its experiences.
  • Hotel group Marriott International is the second major company to be fined by the UK privacy watchdog for infringements of the GDPR.

“The collective action lawsuit filed by Martin Bryant against Marriott in response to the massive data breach the hotel chain disclosed in 2018 is not at all insignificant – it’s a shot fired by an influential tech journalist that is sure to make waves and not go unnoticed.

“It’s a signal that the days of the largest corporations in the world being free to mishandle sensitive consumer data with impunity are numbered.

“It’s a warning that recklessly leaving systems vulnerable to attack and allowing hundreds of millions of consumers’ private data to fall into the hands of criminals will no longer be met with a mere slap on the wrist.”

Tomascheck said Marriott could apologise and promise to do better until it was blue in the face, but until it made the effort to properly protect its customers’ data in the first place, and work towards truly mitigating the risks of a data breach – note that it disclosed a second incident earlier in 2020 – “shots will continue to be fired” by the victims.

Orange Cyberdefense’s Stuart Reed added: “The news of an impending lawsuit against Marriott is the latest in a series of blows suffered by the international hotel group. Having already been served with a fine last year, this should serve as a wake-up call to organisations of all sizes of the potential severity of penalties faced by those who fail to recognise that cyber security can no longer be treated as a lower-priority activity.

“It is essential that all organisations take the utmost care and due diligence when applying relevant processes and procedures for good data hygiene. It is now very clear that the consequence of poor cyber security is no longer just damage to intangible items such as brand reputation. Organisations are now faced with direct legal and financial consequences if they are unable to demonstrate a mature approach to cyber security.”

Read more on Privacy and data protection

Data Center
Data Management