Hotel chain Marriott International is facing legal action in the High Court following a major data breach that affected approximately 500 million guests.
The case seeks compensation from Marriott International on behalf of millions of hotel guests living in England and Wales who made reservations at hotel brands within the Starwood hotel group, now part of Marriott International. Marriott acquired Starwood in 2016, making it the world's largest hotel company.
The systems of the Starwood hotel group were compromised following a hack on its reservation network, which is believed to have first occurred in 2014, but the exposure of customer information was not discovered until 2018. The data affected by the breach included guests' names, email and postal addresses, telephone numbers, gender and credit card information.
In July 2019, the UK Information Commissioner's Office (ICO) issued a statement of its intention to fine Marriott. In the statement, the ICO said: "The ICO's investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems." Marriott responded by saying it would contest the £99.2m fine.
The claimant is Martin Bryant, who brings a representative action on behalf of the affected guests. He said: "Personal data is increasingly critical as we live more of our lives online, but as consumers we don't always realise the risks we are exposed to when our data is compromised through no fault of our own.
"I hope this case will raise awareness of the value of our personal data, result in fair compensation for those of us who have fallen foul of Marriott's vast and long-lasting data breach, and also serve notice to other data owners that they must hold our data responsibly."
Michael Bywell, partner at Hausfeld, the legal firm representing Bryant, added: "Over a period of several years, Marriott International failed to take adequate technical or organisational measures to protect millions of their guests' personal data which was entrusted to them. Marriott International acted in clear breach of data protection laws specifically put in place to protect data subjects."
Marriott International declined to comment on the High Court action.
The group revealed in March this year that it may have been hit by a second data breach affecting up to 5.2 million guests. The group said that between January and February, guest information may have been accessed using the login credentials of two employees at a franchise property.