Marriott International, which the Information Commissioner's Office intends to fine up to £100 million for failing to prevent a massive data breach of customer records, is now facing a class-action lawsuit filed in the High Court in London for the same incident.
The "data breach group action" was filed in the High Court of England and Wales against Marriott International by Martin Bryant, the founder of technology and media consultancy Big Revolution and previously the editor-in-chief of technology publication The Next Web. The lawsuit is being funded by Harbour Litigation and law firm Hausfeld will represent Bryant in court.
In a blog post published earlier today, Bryant announced the filing of the group action lawsuit against Marriott International, stating that major corporations must be made to compensate their customers for failing to secure their personal information.
"If a major corporation suffers a breach because it didn’t do everything it could to protect your data, and the worst it suffers is a fine for breaking data protection rules, there’s little incentive for anything to really change. But if the company becomes accountable to the customers whose data they lost, it’s a different matter.
"That’s why I have filed a data breach group action in the High Court of England and Wales against Marriott International. The action seeks compensation on behalf of millions of hotel guests who made reservations at hotel brands within the Starwood group," he said.
The data security incident involving Marriott International lasted for four years with hackers gaining access to the group's Starwood guest reservation database and exfiltrating information uploaded and stored in the database between 2014 and 2018.
The breach impacted the personal and financial information of millions of people who made bookings at Marriott International's Starwood properties such as Sheraton Hotels & Resorts, Westin Hotels & Resorts, Le Méridien Hotels & Resorts, Four Points by Sheraton, St Regis, W Hotels, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, and Design Hotels.
While the affected Starwood guest reservation database stored combinations of names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest (“SPG”) account numbers, dates of birth and gender of 327 million guests, it also stored payment card numbers and payment card expiration dates belonging to millions of other guests.
According to the ICO, the cyber incident exposed approximately 339 million guest records globally, out of which around 30 million related to residents of 31 countries in the European Economic Area (EEA), and 7 million related to residents of the UK.
According to The New York Times, China's Ministry of State Security sponsored the cyber attack on Marriott's Starwood reservation system and also carried out other widely-publicised hacking operations that targeted the U.S. Office of Personnel Management and Anthem, the largest health insurance firm in the United States.
The report added that the compromise of Marriott's Starwood guest reservation system was part of China's information-gathering exercise to build an extensive database of U.S. government officials and executives with security clearances.
Commenting on the class-action lawsuit filed against Marriott, Stuart Reed, UK Director of Orange Cyberdefense, said this should serve as a wake-up call to organisations of all sizes of the potential severity of penalties faced by those who fail to recognise that cybersecurity can no longer be treated as a lower priority activity. It is essential that all organisations take the utmost care and due diligence when applying relevant processes and procedures for good data hygiene.
“As well as being subject to GDPR and the legal, financial, and reputational implications that come with it, organisations have a duty of care to their customers. Preventative measures are simply not sufficient. There must also be ongoing monitoring of key systems and robust response procedures in place to minimise the impact should the worst happen and a breach occur.
“It is now very clear the consequence of poor cybersecurity is no longer just damage to intangible items such as brand reputation. Organisations are now faced with direct legal and financial consequences if they are unable to demonstrate a mature approach to cybersecurity. These penalties that are now being inflicted without hesitation.
“Cybersecurity is the responsibility of all within the organisation. Ongoing education and awareness amongst employees from the board down is critical to ensuring a layered approach of people, process and technology, and to preventing costly customer data breaches,” he added.