Hotel group Marriott International is facing legal action in London over a huge data breach that compromised the personal details of roughly 393m guests.
Martin Bryant, who runs a tech and media consultancy firm, has filed a collective action in the High Court on behalf of millions of guests from England and Wales who were affected by the hack.
“I hope this case will raise awareness of the value of our personal data, result in fair compensation for those of us who have fallen foul of Marriott’s vast and long-lasting data breach, and also serve notice to other data owners that they must hold our data responsibly,” Bryant said in a statement.
The breach is thought to have occurred after a 2014 cyber attack on the Starwood hotel group — which Marriott acquired in 2016 — though it was not discovered until 2018.
Guests’ names, email and postal addresses, phone numbers and credit card details were among the data exposed.
Hotel brands where affected guests stayed include W Hotels, St Regis, Sheraton Hotels & Resorts and Le Meridien.
The lawsuit, which is claiming unspecified damages for loss of control of personal data, automatically includes anyone who stayed in one of the affected hotels before 10 September 2018.
The legal action is the latest blow for Marriott after the UK data watchdog last year said it would fine Marriott £99m for the breach.
The Information Commissioner’s Office said the hotel group “failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems”.
“Over a period of several years, Marriott International failed to take adequate technical or organisational measures to protect millions of their guests’ personal data which was entrusted to them,” said Michael Bywell, partner at Hausfeld, the law firm representing Bryant.
“Marriott International acted in clear breach of data protection laws specifically put in place to protect data subjects.”
Marriott International did not immediately respond to a request for comment.