Compensation for data breach by Marriott?
The hotel chain believes the data breach begun in 2016 when Marriott began a merger with Starwood Hotels Group, , which created “the world’s largest hotel chain with top brands including Sheraton, Ritz-Carlton” and more.
It is believed that Starwood Hotels’ systems had been compromised several years ago, with continued access since 2014 – however, the data breach did not emerge until 2018 which was after Marriott had acquired the chain; meaning the data had been compromised for at least four years.
It is reported that possibly seven million Britons may be affected by the data breach and may be able to sue for compensation.
In September 2018, Marriott were alerted that there was an attempt to access Starwood’s reservation database, where they learned that “an unauthorised party had copied and encrypted information.”
At first it was believed that 500 million guests were involved in the data breach, which would mean this data breach is one of the largest hacks seen in corporate history.
Marriott have alleged that through “efforts to identify duplicative information in the data” that figure has since reduced to 383 million records – which they claim does not include “information about 383 million unique guests”.
According to the Information Commissioners Office around 30 million of the affected Marriot customers are based in Europe, with 7 million of said customers being UK residents.
What data has been breached?
According to Marriot, the information contained in the data breach which was copied from the guest reservation data base includes:
• Personal information such as names, addresses and date of birth;
• Passport information;
• Arrival and departure details;
• Reservation details such as length of stay;
• 9.1 million encrypted payment card numbers and expiration dates;
Marriot has also confirmed that “several thousand unencrypted payment card numbers” were contained in the breach and that the guests associated with said cards have been notified.
The Information Commissioners Office (ICO) allege that “Marriott failed to undertake sufficient due diligence when it bought Starwood and should have done more to secure its systems” following the merger.
Following an investigation into the data leak, the ICO has since made intention that a fine of more than £99 million will be given to Marriott for infringements of the General Data Protection Regulation – which Information Commissioner Elizabeth Denham believes “makes it clear that organisations must be accountable for the person data they hold”.
The ICO is able to seek a fine of up to 4% of a company’s global annual revenue under the GDPR legislation. In 2018, Marriot International saw revenue of $20.75 billion meaning the fine could rise to over £700 million if the ICO believes it to be appropriate.
This is another instance of the ICO showing that if a company is seen to breach data protection laws, they will come down hard – as we have also seen with British Airways who are currently being faced with a record £183 million fine for last year’s breach of its security systems.
The consumer rights organisation Which? states that this data breach is “on a colossal scale and [would] be of great concern to Marriott customers” whilst also advising that Marriot customer should “be wary of emails regarding the breach, as scammers might try and take advantage of it”.
According to the Information Commissioners Office, Marriot has “co-operated with the ICO investigation and has made improvements to its security arrangements since these events came to light”.
Marriot has also stated that following the data breach “we immediately engaged leading security experts to help us determine what occurred”, before proceeding to implement “additional security measures”.
Arne Sorenson, president of Marriott International, says that “we deeply regret this incident happened” and that “we are doing everything we can to support our guests, and using lessons learned to be better moving forward”
The Federal Trade Commission has advised anyone who believes they have been affected by the data breach take the following measures:
• Check your credit reports from Equifax, Experian and TransUnion;
• Review your payment card statements carefully;
• Place a fraud alert on your credit files;
• Consider placing a credit freeze on your credit reports
Marriott has also set up a tool called WebWatcher for guests to sign up for, which is free for one year. This will alert you if your personal information is seen to be shared online.
It is now established law that there does not have to be financial loss to make a claim for compensation for a data breach. Compensation can be obtained for data loss for anxiety and concern about your personal data coming to unauthorised third party hands. For more information on how to make a claim and guidance please see our Data Protection Compensation Claims.
Although it remains to be seen if the stolen data is being misused, there would definitely be grounds for compensation if you have suffered financial loss and distress as per General Data Protection Regulation.