Tech journalist files class-action lawsuit against Marriott Hotels in the High Court over gigantic data breach
- Martin Bryant accuses Marriott Hotels of violating data protection legislation
- Hackers gained access to the Starwood guest reservation database in 2014
- The personal details of 339million guests were affected by the cyberattack
The founder of a technology consultancy is bringing a legal case against Marriott Hotels at the High Court over claims that it failed to protect the data of hundreds of millions of customers.
Martin Bryant is leading the lawsuit which seeks compensation on behalf of England and Wales residents whose data was exposed after they made reservations with the Marriott-owned Starwood Hotels group.
Hackers gained access to the Starwood guest reservation database in 2014. Marriott eventually discovered the breach in September 2018, and later made customers aware of it two months later.
Marriott, which purchased Starwood Hotels in 2016, was fined £99million by the ICO over the episode, whom US officials have accused China of masterminding
An investigation by the Information Commissioner’s Office (ICO) found that the personal details of 339 million guests across the world were affected by the cyberattack.
About seven million UK guest records were affected by the breach, which saw credit card records, dates of birth, and passport and telephone numbers among the information stolen by hackers.
Marriott, which purchased Starwood Hotels in 2016, was fined £99million by the ICO over the episode, whom US officials have accused China of masterminding, claims that the Chinese state has denied.
Bryant accuses the world’s largest hotel chain of violating data protection legislation, claiming it did not ‘take adequate steps to ensure the security of guests’ personal data, and to prevent unauthorised and unlawful processing of that data.’
The former editor-in-chief of technology website The Next Web currently runs the business and marketing consultancy Big Revolution. He hopes the case will make society put greater value on people’s personal data.
Law firm Hausfeld is representing him in the case, which is being funded by Harbour Litigation. Hotel guests affected by the action are not liable for any costs of the legal action.
Bryant’s action has been filed in the High Court after a legal decision last year that a collective action could be served against Google over alleged unlawful tracking of iPhone users
In a statement on his website, Bryant said the ICO sanction does not go far enough in encouraging Marriott to change its behaviour.
He writes: ‘If a major corporation suffers a breach because it didn’t do everything it could to protect your data, and the worst it suffers is a fine for breaking data protection rules, there’s little incentive for anything to really change.
‘But if the company becomes accountable to the customers whose data they lost, it’s a different matter.’
The suit covers any person domiciled in England and Wales who stayed at 11 hotel brands belonging to Marriott including Sheraton Hotels & Resorts, Design Hotels, and The Luxury Collection in the relevant period before September 10 2018.
Bryant accuses the Marriott of not taking ‘adequate steps to ensure the security of guests’ personal data, and to prevent unauthorised and unlawful processing of that data’
The class action has been filed in the High Court after a Court of Appeal decision last year that a collective action could be served against Google over alleged unlawful tracking of iPhone users in 2011 and 2012 through third-party cookies. Google is appealing the case.
Reuters said a London-based spokeswoman for Marriott was not immediately available for comment.
Marriott fell victim to a hack again this year when it confessed in March that the information of up to five million guests had been accessed by someone using the log-in details of two staff members at a franchise property.
It came just as the company was reeling from the fallout of the plummeting demand for hotel rooms caused by the coronavirus pandemic.
It said it had notified the relevant authorities of the breach and had begun an investigation when it discovered the breach and did not think it would bear large costs from the incident.