Marriott International is the subject of a lawsuit in the United Kingdom brought by millions of former guests seeking compensation for the exposure of their data in a massive breach.
The class action-style lawsuit, filed by U.K. resident Martin Bryant, comes in response to a security incident in which hackers accessed information about more than 300 million people between July 2014 and September 2018.
The breach, first revealed in 2018, included data such as email addresses, phone numbers and credit card data about people who booked reservations through the Starwood Hotels chain, which Marriott acquired. U.S. officials privately attributed the breach to hackers working on behalf of China’s Ministry of State Security, the New York Times reported. Passport numbers belonging to some 25 million people were also involved.
In a statement, Bryant said he filed the lawsuit because the hotel operators had failed to “take adequate steps to ensure the security of guests’ personal data, and to prevent unauthorized and unlawful processing of that data.” If users’ data is exploited for identity theft or fraud, he wrote, they are powerless to stop it.
“If a major corporation suffers a breach because it didn’t do everything it could to protect your data, and the worst it sufferers is a fine for breaking data protection rules, there’s little incentive for anything to really change,” Bryant wrote. “But if the company becomes accountable to the costumers whose data they lost, it’s a different matter.”
The legal action represents all residents in England and Wales whose data was stolen in the breach, regardless of where they stayed, Bryant wrote.
The list of properties includes W. Hotels, St. Regis, Sheraton Hotels and Resorts, Westin, Element Hotels, Aloft Hotels, The Luxury Collection Tribute Portfolio, Le Méridien, Four Points by Sheraton and Design Hotels.
The suit seeks unspecified damages. Marriott did not immediately respond to a request for comment.
The U.K. Information Commissioner’s Office last year proposed to fine Marriott International 99.2 million pounds ($133 million at the time) in connection with the breach, which compromised data about roughly 7 million U.K. residents. That process remains ongoing.
The latest suit was filed in the High Court of England and Wales, the same venue that last year authorized a similar lawsuit to proceed against Google for its alleged monitoring of iPhone users via third-party cookies in 2011 and 2012.