A class action-style suit has been filed in the High Court of England and Wales against hotel group Marriott International over 2018 data breach that exposed personally identifiable details of more than 300 million people around the world.
The representative legal challenge has been filed by Martin SFP Bryant, a UK resident, on behalf of millions of hotel guests domiciled in England & Wales, whose private data was exposed in the breach.
"The action seeks compensation on behalf of millions of hotel guests who made reservations at hotel brands within the Starwood group," Bryant said in a blog post.
Starwood group was acquired by Marriott International in 2016.
"This case states that the cyber attack was the result of a failure to take adequate steps to ensure the security of guests' personal data, and to prevent unauthorised and unlawful processing of that data."
According to Bryant, the lawsuit covers all former guests who stayed in a hotel belonging to any of the following brands before 10 September 2018:
- Sheraton Hotels & Resorts
- Element Hotels
- St. Regis
- W Hotels
- Westin Hotels & Resorts
- The Luxury Collection
- Aloft Hotels
- Le Méridien Hotel & Resorts
- Tribute Portfolio
- Design Hotels
- Four Points by Sheraton
Bryant is being represented by Hausfeld, an international law firm specialising in group actions.
Those eligible to participate in the litigation face no fees - nor do they face any financial risk from the lawsuit - which is being funded by Harbour Litigation Funding.
Personal data of nearly seven million British guests was compromised in Marriott breach, the UK Information Commissioner's Office (ICO) said last year, while proposing to fine Marriott 99.2 million pounds.
The regulatory process was later extended until 30th September 2020, after which the ICO will make its final decision.
Marriott disclosed the hack in November 2018, stating that an unidentified group of hackers accessed the names, addresses, passport numbers and contact details of customers from Starwood Hotels reservation system.
The breach likely started in July 2014 and continued until September 2018, according to the company, and impacted more than 300 million people.
And this was not the only data breach to impact the international hotel group.
In April, Marriott International disclosed another data breach, which started in mid-January and came to notice of Marriott's IT security team only in late February. Personal details of up to 5.2 million guests were exposed in the incident, the company believed.
It said that the security incident involved an application that was used by its hotels to provide services to guests. The hackers obtained the login credentials of two employees at a franchise property, and then used the access to steal the personal information of up to 5.2 million guests from Marriott's systems.
"As our lives become increasingly digital, our personal data will only become more important," Bryant said.
"It's time we all as a society valued it more. That's what I hope this case will achieve."
Joseph Sullivan paid hackers $100,000 to keep silent about the hack
Attackers likely entered the network through a phishing scam or brute force attack
An anonymous hacker claims to have breached Intel server earlier this year and stolen data from the system
The attacker likely exploited CVE-2019-11510 security flaw to gain access to vulnerable systems
The Florida State Attorney's office is handling the prosecution of a 17-year old boy for his role in the Twitter hack that affected accounts including those belonging to Bill Gates and Elon Musk