The lawsuit has been launched on behalf of guests who made reservations at hotel brands during this period within the Starwood Hotels Group, which is owned by Marriott International.
The lawsuit states that the cyber attack was a result of “failure to take adequate steps to ensure the security of guests’ personal data, and to prevent unauthorised and unlawful processing of that data”, which was in turn a breach of data protection legislation.
The action is being led by Martin Bryant, who has filed a data breach group action in the High Court of England and Wales against the international hotel chain. He is being supported by law firm Hausfeld.
Bryant said that “like millions of others”, he only received notification of the breach in late 2018.
In a statement, he said: “It’s become a depressingly familiar situation. You get an email from a company telling you that they’ve suffered a data breach and your personal information was stolen.
“You sigh, you shrug, and then you forget about it — because you’re powerless. You can’t get that personal data back. It might end up being used for identity theft or fraud, and there’s nothing you can do about it.”
He added: “But the fact is there should be recompense. If a major corporation suffers a breach because it didn’t do everything it could to protect your data, and the worst it suffers is a fine for breaking data protection rules, there’s little incentive for anything to really change.
“But if the company becomes accountable to the customers whose data they lost, it’s a different matter.”
Michael Bywell, partner at Hausfeld, added: “Over a period of several years, Marriott International failed to take adequate technical or organisational measures to protect millions of their guests’ personal data which was entrusted to them. Marriott International acted in clear breach of data protection laws specifically put in place to protect data subjects.”
Marriott International has been reached for comment.