Hotel group Marriott International faces a London class-action lawsuit over a 2018 data breach that saw 339 million customer records stolen by hackers.

Martin Bryant, founder of technology and media consultancy Big Revolution, is leading the claim for English and Welsh guests who were affected by the breach. Seven million records relating to those guests were accessed during the cyberattack, but the specific number of individuals is not known.

“I hope this case will raise awareness of the value of our personal data, result in fair compensation for those of us who have fallen foul of Marriott’s vast and long-lasting data breach, and also serve notice to other data owners that they must hold our data responsibly,” Bryant said in a statement.

Between 2014 and 2018 cybercriminals accessed the computer systems of hotel group Starwood, which Marriott acquired in 2016.

Exposed data included names, addresses, phone numbers, email addresses, date of birth, gender, passport numbers and account information.

“We fell short of what our guests deserve,” Marriott CEO Arne Sorenson said at the time.

Mariott could be forced to pay millions

In July 2019 the UK’s data regulator, the Information Commissioner’s Office (ICO), hit Marriott with a £99m GDPR fine. It is one of the highest fines levied under UK data protection law.

The London lawsuit follows other lawsuits in the US and Canada.

International law firm Hausfield, which specialises in class action lawsuits, is representing Bryant. Litigation company Harbour is funding the lawsuit.

Bryant is encouraging those affected by the breach to join the class action lawsuit.

“It will not cost you anything to participate in this legal action and you will have no financial risk in relation to the claim,” said Bryant, who was among those affected by the breach.

The legal action could see the world’s largest hotel operator forced to pay out tens of millions in compensation, should it lose the lawsuit.

“While all court cases are different, if the case goes against Marriott Hotels any fines are likely to be based on the number of people who’s data was lost as part of the breach,”  said Darren Wray, CTO at data privacy firm Guardum.

“We don’t know how many of the 339 million records that were believed to be lost are residents of the UK and Wales, but even if the damages were to be £100 for 1 million people, the size of the damages is definitely something that Marriott is going to fight hard to avoid.”

Marriott lawsuit the “consequence of poor cybersecurity”

In March this year, Marriott announced that it had been hit by a second data breach affecting up to 5.2 million people.

“It is now very clear the consequence of poor cybersecurity is no longer just damage to intangible items such as brand reputation,” said Stuart Reed, UK director at cybersecurity firm Orange Cyberdefense.

“Organisations are now faced with direct legal and financial consequences if they are unable to demonstrate a mature approach to cybersecurity. These penalties that are now being inflicted without hesitation.”


Read more: Marriott data breach is a disaster but presents an opportunity to change data security for the better