Marriott International Sued In High Court Over Massive Data Breach

The repercussions for the hotel chain Marriott International of its mammoth data breach over a four year period, continues to be felt.

The “colossal” hack on Marriott International was first revealed to the world back in December 2018, and it affected the personal details and payment card data on up to 340 million people – dating right back to 2014.

The data breach happened when the systems of the Starwood hotels group were compromised in 2014.

High Court lawsuit

Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018.

In July 2019 Marriot was handed a £99 million fine by the UK data protection watchdog.

And to make matters worse, in April this year, Marriott confirmed it had suffered a second data breach, that had compromised the personal data of roughly 5.2 million guests around the world.

And now Marriott International is facing a class action lawsuit in the High Court, brought by millions of former guests demanding compensation, Reuters reported.

Martin Bryant, founder of technology and media consultancy Big Revolution, is leading the claim for English and Welsh-domiciled guests.

“I hope this case will raise awareness of the value of our personal data, result in fair compensation … and also serve notice to other data owners that they must hold our data responsibly,” he reportedly said in a statement.

The lawsuit, which seeks unspecified damages for loss of control of personal data, automatically includes guests who made a reservation for one of the former Starwood brand hotels – including Sheraton Hotels & Resorts and St. Regis hotels – before 10 September 2018.

“We don’t have a comment to make at this time,” a London-based spokeswoman for Marriott was quoted by Reuters as saying.

The Marriott breach impacted approximately seven million British guest records, it is reported.

Multiple blows

The fact that Marriott is facing another legal challenge over the breach, shows the importance of properly securing customer data, experts have said.

“The news of an impending lawsuit against The Marriott is the latest in a series of blow suffered by the international hotel group,” said Stuart Reed, UK director at Orange Cyberdefense.

“Having already been served with a £100 million fine last year, this should serve as a wake-up call to organisations of all sizes of the potential severity of penalties faced by those who fail to recognise that cybersecurity can no longer be treated as a lower priority activity,” said Reed.

“It is essential that all organisations take the utmost care and due diligence when applying relevant processes and procedures for good data hygiene,” said Reed. “As well as being subject to GDPR and the legal, financial and reputational implications that come with it, organisations have a duty of care to their customers.”

“Preventative measures are simply not sufficient,” warned Reed. “There must also be ongoing monitoring of key systems and robust response procedures in place to minimise the impact should the worst happen and a breach occur.”

“It is now very clear the consequence of poor cybersecurity is no longer just damage to intangible items such as brand reputation,” said Reed. “Organisations are now faced with direct legal and financial consequences if they are unable to demonstrate a mature approach to cybersecurity. These penalties that are now being inflicted without hesitation.”

Benchmark case?

Another expert agreed the lawsuit demonstrated the need for organisations to safeguard customer data because of GDPR protections.

“Article 82 of the GDPR is in a little bit of a backwater and is often forgotten about. That is all about to change though with the, in my opinion, much-anticipated case against Marriot,” explained Darren Wray, CTO at data privacy experts Guardum.

“The GDPR allows any person who has suffered material or non-material damage as a result of an infringement of the GDPR, the right to receive compensation from the data controller or processor for the damage suffered,” said Wray. “In my opinion, this will be the first of many such court cases that will follow on the back of high profile data breaches that have taken place since the introduction of the GDPR in May 2018.”

“While all court cases are different, if the case goes against Marriott Hotels any fines are likely to be based on the number of people who’s data was lost as part of the breach,” said Wray. “We don’t know how many of the 500 million records that were believed to be lost are residents of the UK and Wales, but even if the damages were to be £100 for 1 million people, the size of the damages is definitely something that Marriott is going to fight hard to avoid.”

“Companies need to be proactive right now to ensure that they don’t find themselves in the High Court attempt to defend a breach. Ensuring that they have the right processes and procedures in place so breaches are spotted and dealt with quickly and efficiently goes a long way with judges and regulators alike, as does ensuring that personal data is deleted or redacted at the end of its life,” Wray concluded.

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Signal Shows Data Collection Adverts Facebook Rejected

Signal has had user-targetted adverts on Instagram blocked, as messaging service attempts to highlight Facebook…

5 hours ago

Oversight Board Upholds Trump’s Facebook Suspension

Bad news for Donald. Facebook's 'Supreme Court' upholds suspension of Donald Trump account, but asks…

6 hours ago

US Presses TSMC For More Chips For Car Makers

Global silicon shortage continues, as US Commerce Department presses Taiwanese chipmakers to ease the supply…

7 hours ago

Starlink Signs Up 500,000 Pre-Orders For Satellite Internet

Elon Musk space venture SpaceX has already signed 500,000 customers on pre-order for its Starlink…

9 hours ago

Apple Vs Epic Games Court Battle Continues

Second day of courtroom showdown in the US reveals Epic Games management would have accepted…

11 hours ago

Trump Launches ‘Communications’ Website

Banned from social media for instigating US Capitol riot, Trump launches 'straight from the desk'…

13 hours ago