Marriott International faces a multimillion-pound lawsuit in London’s High Court following the huge data breach it reported in 2018.
The collective action against Marriott on behalf of multiple victims of the breach in England and Wales has been filed by a technology journalist, Martin Bryant.
Marriott revealed hackers had accessed hundreds of millions of guest records in a breach of the Starwood Hotels guest reservation database between July 2014 and September 2018.
The group acquired Starwood in late 2016.
The data included credit card and passport details as well as names, addresses, email addresses and phone numbers.
Up to seven million people in England and Wales are thought to have been affected by the data breach. Lawyers acting on behalf of Bryant have issued a claim as a representative claimant under legislation including the EU General Data Protection Regulation (GDPR).
Class actions are relatively new in the UK, but anyone affected by the breach in the same jurisdiction is automatically included in the claim unless they opt out.
Marriott already faces several lawsuits resulting from the breach in the US and Canada.
The UK data-protection regulator, the Information Commissioner’s Office (ICO), announced its intention to fine Marriott £99 million for “infringements of the General Data Protection Regulation (GDPR)” in July last year.
The ICO said then that the personal information of 339 million customers had been compromised, including encrypted card numbers, and it found Marriott “failed to undertake sufficient due diligence” when it bought Starwood.
Marriott International’s president Arne Sorenson said at the time: “We are disappointed with this notice of intent from the ICO, which we will contest.”
A final decision on the ICO fine is expected next month.
The ICO also announced its intention last year to fine British Airways £183 million for compromising the data of half a million or more customers through a breach in 2018.
However, a parent IAG noted in half-year results at the end of July that it expects now to pay the ICO a fine of £22 million.
IAG reported: “An exceptional expense of €22 million has been recorded in respect of a provision in relation to the theft of customer data at British Airways in 2018.”
Marriott reported a net loss of $234 million for the April-to-June quarter on August 10 but noted it had approximately $4.4 billion available in liquidity.