Following a data breach involving the Starwood guest reservation database, unknown persons gained access to hundreds of millions of guest records between July 2014 and September 2018. The case seeks compensation from Marriott International on behalf of millions of hotel guests domiciled in England & Wales who made reservations at hotel brands within the Starwood hotel group, now part of Marriott International.
Hotel brands where affected guests stayed include: W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotel & Resorts, Four Points by Sheraton and Design Hotels.
The systems of the Starwood hotel group were compromised following a hack on its reservation network, which is believed to have first occurred in 2014. Marriott International acquired the Starwood Hotel group in 2016 but the exposure of customer information was not discovered until 2018. The guests’ personal data affected by the breach included information such as guests’ names, email and postal addresses, telephone numbers, gender and credit card information.
On 9 July 2019, the UK Information Commissioner’s Office (the “ICO”) issued a statement of its intention to fine Marriott. In the statement, the ICO said: “The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.”
The Claimant is Martin Bryant who brings a representative action on behalf of the affected hotel guests. Commenting on the case, Martin Bryant said:
“Personal data is increasingly critical as we live more of our lives online, but as consumers we don’t always realise the risks we are exposed to when our data is compromised through no fault of our own. I hope this case will raise awareness of the value of our personal data, result in fair compensation for those of us who have fallen foul of Marriott’s vast and long-lasting data breach, and also serve notice to other data owners that they must hold our data responsibly.”
Michael Bywell, Partner at Hausfeld, added:
“Over a period of several years, Marriott International failed to take adequate technical or organisational measures to protect millions of their guests’ personal data which was entrusted to them. Marriott International acted in clear breach of data protection laws specifically put in place to protect data subjects.”
As a result of Marriott’s breaches of the GDPR and/or statutory duty under the DPA 1998, Martin Bryant (the “Representative Claimant”) and those whom he represents, claim damages for loss of control of their personal data. The claim is being brought as a representative action under Rule 19.6 of the Civil Procedure Rules. Everyone with the same interest as Martin Bryant is included in the claimant class, unless they opt out.
Claims of this size and nature are difficult to bring and sustain without the benefit of litigation funding. The claim is financed by Harbour Litigation Funding.
Guests domiciled in England and Wales who made a reservation to stay around the world in one of the former Starwood brand hotels listed above before 10 September 2018 will automatically be included within the class.
The hotel guests on whose behalf the claim is brought will not pay costs or fees to participate in this legal action and have no financial risk in relation to the claim.
For additional information or to register interest, please visit the MDB claim website www.marriottdatabreachclaim.co.uk.
The case has been widely reported by global press including:
|Alliance News Global 500 (subscription)||Bloomberg Law|
|Capital France (subscription)||CityAM|
|Commercial Risk||Daily Mail|
|Financial Times (subscription)||Fox News|
|Global Data Review (susbcription)||Info Risk Today|
|Law.com (susbcription)||Lawyer Monthly|
|National Post||New York Times|
|The Caterer||The Guardian|
|The Lawyer||The Telegraph|
|The Times (subscription)||This Is Money|
|Thomson Reuters||US News|