The repercussions for the hotel chain Marriott International of its mammoth data breach over a four year period, continues to be felt.
The “colossal” hack on Marriott International was first revealed to the world back in December 2018, and it affected the personal details and payment card data on up to 340 million people – dating right back to 2014.
The data breach happened when the systems of the Starwood hotels group were compromised in 2014.
Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018.
And to make matters worse, in April this year, Marriott confirmed it had suffered a second data breach, that had compromised the personal data of roughly 5.2 million guests around the world.
And now Marriott International is facing a class action lawsuit in the High Court, brought by millions of former guests demanding compensation, Reuters reported.
Martin Bryant, founder of technology and media consultancy Big Revolution, is leading the claim for English and Welsh-domiciled guests.
“I hope this case will raise awareness of the value of our personal data, result in fair compensation … and also serve notice to other data owners that they must hold our data responsibly,” he reportedly said in a statement.
The lawsuit, which seeks unspecified damages for loss of control of personal data, automatically includes guests who made a reservation for one of the former Starwood brand hotels – including Sheraton Hotels & Resorts and St. Regis hotels – before 10 September 2018.
“We don’t have a comment to make at this time,” a London-based spokeswoman for Marriott was quoted by Reuters as saying.
The Marriott breach impacted approximately seven million British guest records, it is reported.
The fact that Marriott is facing another legal challenge over the breach, shows the importance of properly securing customer data, experts have said.
“The news of an impending lawsuit against The Marriott is the latest in a series of blow suffered by the international hotel group,” said Stuart Reed, UK director at Orange Cyberdefense.
“Having already been served with a £100 million fine last year, this should serve as a wake-up call to organisations of all sizes of the potential severity of penalties faced by those who fail to recognise that cybersecurity can no longer be treated as a lower priority activity,” said Reed.
“It is essential that all organisations take the utmost care and due diligence when applying relevant processes and procedures for good data hygiene,” said Reed. “As well as being subject to GDPR and the legal, financial and reputational implications that come with it, organisations have a duty of care to their customers.”
“Preventative measures are simply not sufficient,” warned Reed. “There must also be ongoing monitoring of key systems and robust response procedures in place to minimise the impact should the worst happen and a breach occur.”
“It is now very clear the consequence of poor cybersecurity is no longer just damage to intangible items such as brand reputation,” said Reed. “Organisations are now faced with direct legal and financial consequences if they are unable to demonstrate a mature approach to cybersecurity. These penalties that are now being inflicted without hesitation.”
Another expert agreed the lawsuit demonstrated the need for organisations to safeguard customer data because of GDPR protections.
“Article 82 of the GDPR is in a little bit of a backwater and is often forgotten about. That is all about to change though with the, in my opinion, much-anticipated case against Marriot,” explained Darren Wray, CTO at data privacy experts Guardum.
“The GDPR allows any person who has suffered material or non-material damage as a result of an infringement of the GDPR, the right to receive compensation from the data controller or processor for the damage suffered,” said Wray. “In my opinion, this will be the first of many such court cases that will follow on the back of high profile data breaches that have taken place since the introduction of the GDPR in May 2018.”
“While all court cases are different, if the case goes against Marriott Hotels any fines are likely to be based on the number of people who’s data was lost as part of the breach,” said Wray. “We don’t know how many of the 500 million records that were believed to be lost are residents of the UK and Wales, but even if the damages were to be £100 for 1 million people, the size of the damages is definitely something that Marriott is going to fight hard to avoid.”
“Companies need to be proactive right now to ensure that they don’t find themselves in the High Court attempt to defend a breach. Ensuring that they have the right processes and procedures in place so breaches are spotted and dealt with quickly and efficiently goes a long way with judges and regulators alike, as does ensuring that personal data is deleted or redacted at the end of its life,” Wray concluded.