Starwood Hotels’ reservation database was breached between July 2014 and September 2018 © AP

Hotel group Marriott International is facing a lawsuit in London’s High Court for its alleged failure to protect the personal data of millions of former guests in one of the largest data breaches in corporate history.

Martin Bryant, 41, a technology journalist, has filed a collective action lawsuit on behalf of victims in England and Wales whose personal data was exposed after making bookings through the Starwood Hotels group, which is now part of Marriott International.

In 2018, Marriott revealed that hackers had gained unauthorised access to hundreds of millions of guest records worldwide in a security breach of the Starwood guest reservation database between July 2014 and September 2018. 

The data included guests’ names, home and email addresses, telephone numbers, as well as passport and credit card details. The hotel brands affected included W Hotels, Sheraton Hotels & Resorts and Le Meridien Hotels & Resorts.

Up to 7m former guests in England and Wales are thought to have been affected by the data breach and Mr Bryant is the representative claimant in the class action-style lawsuit. All consumers with the same interests are automatically included in the claimant class — unless they opt out.

Mr Bryant, who is represented by law firm Hausfeld, is claiming damages for loss of control of personal data using the Data Protection Act 1998 and the EU’s General Data Protection Regulation. 

He had sought a collective lawsuit because he wanted to serve notice to data owners that they must hold data responsibly, he said.

“Personal data is increasingly critical as we live more of our lives online but, as consumers, we don’t always realise the risks we are exposed to when our data is compromised through no fault of our own,” Mr Bryant said.

The suit adds to Marriott’s legal troubles stemming from the breach. The company also faces several lawsuits filed by consumers in the US and in the Canadian courts relating to the incident

Marriott said it did not comment on pending litigation.

The UK’s data protection regulator, the Information Commissioner’s Office, announced in July last year a statement of its intent to fine Marriott £99m over the data breach following an investigation. A final decision is expected on the fine next month. 

Collective actions are becoming more commonplace in the English courts. Last year, a groundbreaking Court of Appeal ruling allowed a lawsuit brought by consumer champion Richard Lloyd to go ahead against Google.

Mr Lloyd is the representative claimant for more than 4m Apple iPhone users and alleges that Google has taken individuals’ browser-generated information without their consent in contravention of the 1998 Data Protection Act. Google is appealing against the decision.

Get alerts on Data protection when a new story is published

Copyright The Financial Times Limited 2020. All rights reserved.
Reuse this content (opens in new window)

Comments have not been enabled for this article.

Follow the topics in this article