Hotel giant Marriott International will face a group legal action in Britain’s High Court over a data breach that led to the theft of millions of customers’ personal details.
Martin Bryant, a tech journalist and founder of media consultancy business Big Revolution, is leading the action which is seeking compensation for guests that made bookings through the Starwood Hotels Group, which is now part of Marriott.
Hackers allegedly gained access to a host of personal data, including guest names, email addresses, passports, and credit card details in a breach of the hotel chain’s reservation database between 2014 and 2018.
The breach led to the Information Commissioner’s Office (ICO) announcing its intention to fine the company £99m under GDPR legislation. The regulator’s final fine amount is due to be announced later this year.
Mr Bryant’s case alleges that the cyber attack was the result of a “failure to take adequate steps to ensure the security of guests’ personal data”. He stated that the failure to do so represented a breach of data protection legislation.
“It’s become a depressingly familiar situation. You get an email from a company telling you that they’ve suffered a data breach and your personal information was stolen,” Mr Bryant said in a blog post published on Wednesday.
“You sigh, you shrug, and then you forget about it — because you’re powerless. You can’t get that personal data back. It might end up being used for identity theft or fraud, and there’s nothing you can do about it.”
Mr Bryant said that if a company suffers a fine for breaking data protection rules there was “little incentive” for anything to change.
“But if the company becomes accountable to the customers whose data they lost, it’s a different matter,” he said.
The group action represents everyone resident in England and Wales whose data was stolen during the breach, despite where they stayed.
Customers that stayed at brands like W Hotels, St Regis, Sheraton Hotels and Resorts, and Westin Hotels and Resorts, will automatically be included in the group action unless they opt out.
The action is being backed by litigation funder Harbour with law firm Hausfeld taking proceedings.
UK director of Orange Cyberdefense Stuart Reed said that the legal action should act as a “wake-up call” to organisations of all sizes.
“It is now very clear the consequence of poor cybersecurity is no longer just damage to intangible items such as brand reputation,” he said.
“Organisations are now faced with direct legal and financial consequences if they are unable to demonstrate a mature approach to cybersecurity. These penalties that are now being inflicted without hesitation.”
Cybersecurity specialist at ESET Jake Moore said that personal data had “never been so valuable”.
“Customers have every right to go after companies who lose their data,” he said. “Cases like this raise awareness in the proceedings, forcing other firms at risk to take better care of their data.”
Marriott had yet to respond at the time of writing.
The ICO announced its intention to fine Marriott in July 2019, a day after it unveiled a record intention to fine British Airways £183.39m for breaches of data protection law.