In this guide, we explore what could happen in the event that a Marriott Hotels data breach occurs.
When we book a stay at a hotel, we trust the establishment with our personal data, such as our name and address. Therefore, the hotel should protect any personal data it collects. If you have been affected by a hotel data breach, this could be a violation of your privacy and security.
Hotel data breaches could also be caused by a lack of adherence to data protection legislation. Consequently, if a data breach is caused by a hotel’s positive wrongful conduct, you may be eligible to claim compensation.
I Suffered A Psychological Injury After A Hotel Or Hospitality Data Breach. What Are My Rights?
Contact Accidents Claims UK today if a data breach has affected you financially or psychologically. We could connect you with a skilled data breach lawyer to handle your compensation claim.
Our lawyers have specialist knowledge and could ensure that you receive the correct amount of compensation for your data breach claim. Call us on 0800 073 8801. Alternatively, use our contact form or live chat to enquire.
Select A Section
- A Guide On Your Rights After A Marriott Hotels Data Breach
- What Personal Data Could A Hotel Hold About Me?
- What Is A Personal Data Breach Claim Against Marriott Hotels?
- Steps To Take After A Hotel Or Hospitality Data Breach
- Marriott Data Breach Case Study 2020
- Check That You Are Eligible To Make A Data Breach Claim
- How To Gather Evidence To Support Your Claim
- Calculate Compensation For A Marriott Hotels Data Breach
- Claiming Material And Non-Material Damages Compensation
- No Win No Fee Hotel Data Breach Claims Against Marriott Hotels
- Contact An Advisor
- Hotel And Hospitality GDPR FAQs
- Articles Related To This Guide
Marriott International Inc. is one of the world’s largest hotel companies. As a company that processes personal information, it has to abide by data protection laws.
The EU General Data Protection Regulation (GDPR) is used in the EU. The Data Protection Act 2018 enacts the GDPR into UK laws. This Act sits alongside the UK GDPR and contributes to data protection legislation in the UK.
What does the General Data Protection Regulation require from hotels?
Firstly, hotels should take measures to keep the personal data that they collect secure. For example, hotels should train staff on the correct ways to handle personal data and have adequate cybersecurity measures to protect against cyberattacks.
The UK GDPR states that data breach victims have the right to claim compensation. However, they can only do so if the company that was supposed to protect their personal data essentially caused the data breach. They should also be able to prove any financial or psychological suffering.
This guide will look at the Starwood Hotels data breach, which occurred due to a cyberattack. We will also look at how data breaches can happen and what effect they can have on data breach victims. Furthermore, we will explain how you could make a data breach claim if you have been affected by a data breach.
Remember, there are data breach claims time limits in the UK. They are
- Six years; or
- One year if they involve a public body.
Accident Claims UK could help you if your personal data was compromised in a data breach. If you have a valid claim, contact us to speak to a trained claims advisor. We can offer you a free, no-obligation legal consultation. And if we can see that you have a solid claim, a skilled data breach lawyer could be assigned to work with you.
When guests make a booking at a hotel, the hotel will collect personal data about that individual. Personal data/information is any information that could be used to identify you. In the wrong hands, this data could compromise your privacy and security.
Here are some examples of personal data hotels may collect from their guests:
- First name(s)
- Landline telephone number
- Mobile phone number
- Email address
- Home address
- Date of birth
- Passport number
- Credit card details
- Login details for your online account.
If a Marriott Hotels data breach were to occur, it would be a security incident leading to the breach of personal data privacy. This compromises the guest’s personal security and data privacy.
A data breach can occur when personal data is unlawfully (or without authorisation):
Data breaches can be accidental or deliberate. They can involve personal information stored physically (such as on paper records) or digitally.
How can a hotel or hospitality industry data breach happen?
Hotel employee errors cause many data breaches. For example, a marketing department may send personalised promotional materials to the wrong home address, even though they have the correct one on file. If the recipient accesses the personal information without a lawful reason, it would be a data breach. This can be an emotionally distressing experience for those involved.
Unfortunately, hotel data breaches can also be the work of malicious actors. For example, a data breach could occur if the company is the target of a cyberattack. This means that cybercriminals may use malicious software to gain unlawful access to the hotel’s systems.
Consequently, fraudsters may target hotel guests for identity theft. Furthermore, burglars may target guests’ homes while they’re on holiday if criminals can access their home address, arrival, and departure dates.
Victims of a data breach at a hotel could claim compensation if they suffered financially or mentally and the data breach was caused by the hotel’s failings.
If you have evidence of a valid claim, contact Accident Claims UK, and we could connect you with an experienced data breach solicitor to start working on your claim.
The UK General Data Protection Regulation requires businesses to do the following if personal data breaches occur:
- The business should report the data breach to the Information Commissioner’s Office (ICO) within 72 hours so long as it risks the freedoms and rights of the data subjects. As a result, the company may be the subject of an ICO investigation.
- Any individuals who have been affected by the data breach should be notified without undue delay if their freedoms and rights are at risk.
- Moreover, the company should keep a record of the data breach, whether or not the data breach needs to be reported to the ICO.
Who is the Information Commissioner’s Office?
They are a UK public body that upholds the data privacy rights of the public. The ICO has the power to investigate companies that breach personal data protection laws and can issue an ICO fine.
How Does The GDPR Apply To Hotels?
A data subject is an individual whose personal data is collected, stored or processed. For example, the data subject could be a hotel guest, a hotel employee or another stakeholder.
The UK GDPR requires hotels to do the following when handling personal data.
- Firstly, the hotel should only collect a data subject’s personal data if they have permitted the business to do so.
- Secondly, the hotel should inform the data subject of the purpose of the data collection. After that, the hotel should not use the data for any other purpose. (However, the company could share your personal data without your consent if there’s a lawful reason to.)
- Thirdly, the hotel should keep the personal data they have collected up to date.
- The hotel business should follow all appropriate data protection legislation.
The hotel should also abide by the principles set out under the UK GDPR.
This Marriott data breach 2020 involved hackers who were able to get the login details of a couple of Marriott employees. The hackers may have used these details to access guest information.
Another Marriott Hotels data incident took place in 2014. Starwood Hotels experienced a cyber-attack by an unknown source. Unfortunately, the Starwood Hotels data breach was not discovered until 2018, after Marriott had acquired the company.
What information was potentially compromised in the Marriott data breach?
The cyber-attackers were able to access the following personal data records:
- Guest names
- Email addresses
- Phone numbers
- Unencrypted passport numbers
- Arrival and departure dates
- Marriott loyalty programme membership numbers
- Guests’ VIP status
How many guests were possibly affected by the data breach?
This is not fully understood because one guest may have several data records. However, 339 million guest records were impacted. Seven million of these guest records were related to people in the UK.
Following Marriott’s report of the data breach, the ICO investigated. Subsequently, the company was issued with an £18.4 million Marriott data breach fine from the ICO.
To make a personal data breach claim, you would need to have experienced emotional distress, psychological injury or financial losses as a result of the data breach. The data breach should also have been caused by the hotel’s positive wrongful conduct.
Essentially, even a data breach that cybercriminals were able to carry out could be caused by a hotel’s data security failings.
To see if you are eligible to claim compensation, call Accident Claims UK to speak to an advisor about your ordeal.
What Rights Do Individuals Have Under The GDPR?
The UK General Data Protection Regulation protects the rights of individual data subjects. For example, data subjects have the right to be informed of how hotels will use their personal data and have the right to access their personal data. What’s more, in certain circumstances, data subjects can restrict data processing. This ICO guide to individual rights has more information.
It’s not essential to use the services of a data breach solicitor to claim. However, we believe it can be beneficial. Your data breach solicitor would need to provide evidence to support your hotel data breach claim. The following can be used as evidence to support your compensation claim for a hotel data breach:
- The notification you received, informing you that your personal data had been compromised in a data breach.
- Medical records about any mental health problems you have struggled with because of the data breach.
- Financial records such as your current account statement to prove any financial losses incurred.
A solicitor could advise you on the strength of your evidence as well as help you understand what you could collect.
You may be wondering, ‘How much compensation can I claim for a hotel data breach?’ You can use the table below to estimate how much compensation you could receive for your psychological injuries. The table excludes compensation you could receive for financial losses.
|Severity of the injury||Types of psychological injury||Notes about this injury||Settlement Estimate|
|Severe||Post-Traumatic Stress Disorder (PTSD)||This is the most severe level of PTSD. The claimant may experience permanent psychological symptoms. These could imapct their ability to continue in work, relationships or education at a pre-trauma level.||£56,180 to £94,470|
|Moderately Severe||Post-Traumatic Stress Disorder (PTSD)||The person will have a better prognosis than those in the catogory above. They will require professional treatment as well as some assistance. The PTSD may still cause significant disabilities.||£21,730 to £56,180|
|Moderate||Post-Traumatic Stress Disorder (PTSD)||The victim should have (largely) recovered. Any effects which remain should not be considered 'grossly disabling'.||£7,680 to £21,730|
|Less Severe||Post-Traumatic Stress Disorder (PTSD)||The person affected should be able to make a full recovery (or close to a full recovery) in 12 to 24 months. Beyond this they should only experience very mild symptoms.||Up to £7,680|
|Severe||Psychiatric Damage (Generally)||The psychiatric damage may cause significant problems in continuing with education or work, or problems with relationships.||£51,460 to £108,620|
|Moderately Severe||Psychiatric Damage (Generally)||At the moderately severe level, people could be awarded compensation at the higher or lower end of the band. However, most settlements will be closer to the middle.||£17,900 to £51,460|
|Moderate||Psychiatric Damage (Generally)||The claimant should have had a marked improvement in their symptoms. Overall, this claimant should have a good prognosis.||£5,500 to £17,900|
|Less Severe||Psychiatric Damage (Generally)||Compensation and damages awarded will depend on the severity and duration of symptoms suffered as well as their extent.||Up to £5,500|
How are these compensation amounts calculated?
The compensation table above is based on guidelines from the Judicial College for emotional damages and psychological injuries. These guidelines contain recommended awards for varying injuries and their severities. Solicitors use them to value injuries.
However, the amount of compensation you could receive would depend on your personal circumstances. You can call Accident Claims UK today, and an advisor can estimate how much money your claim could be worth.
You could receive up to two heads of claim if your data breach compensation claim is successful. These are material damages and non-material damages. Let’s look at what this means in more detail below.
Data breaches can be a traumatic experience. They can be a gross violation of one’s privacy, which can be emotionally distressing. What’s more, a data breach can also jeopardise your personal security, such as if your home address is published online.
Many people experience psychological harm after a data breach which can manifest itself in several ways, such as loss of sleep and appetite. Furthermore, some people might develop psychological injuries such as anxiety or depression.
Compensation for non-material damages are paid out for any emotional distress or psychological injury experienced due to the personal data breach.
Unfortunately, being the victim of a data breach sometimes means that criminals can use your personal data to target you. For example, fraudsters may use your name and email address to send you phishing scam emails.
This can lead to you suffering financial losses. Your compensation payout can include material damages, which would repay you for any unrecovered money lost because of a hotel data breach.
You’d need to prove your financial losses by providing, for example, bank statements or credit scores.
What does No Win No Fee mean? It is a method of funding a solicitor to work on your claim whereby you, the claimant, sign a Conditional Fee Agreement (the formal term for a No Win No Fee agreement).
The No Win No Fee agreement states that you won’t pay an upfront solicitor’s fee. Instead, you would pay a success fee if your claim is successful. Our solicitors would deduct your success fee from your compensation payout at a capped rate.
What are some benefits of making a No Win No Fee claim?
- There is a lower financial risk involved in funding the services of a solicitor. This is because we will not charge you a success fee if you lose your claim.
- What’s more, there is no upfront or ongoing solicitor’s fee to pay, making No Win No Fee claims more affordable for many.
Why not get in touch to learn more?
If you have evidence that your personal data was involved in a Marriott Hotels data breach, why not contact us? We will speak to you in-depth. What’s more, we could appoint a solicitor to start working on your claim to see that you are owed compensation.
To see if you could begin your claim, contact us using the details below:
- Call us on 0800 073 8801.
- Please fill out our contact form and we’ll get back to you whenever’s best for you.
- Or ask an advisor a question directly, using our chat widget.
Our advisors are available 24/7 and give free legal advice. What’s more, you’ll be under no obligation to proceed with our services.
Let’s answer some frequently asked questions about data breaches in the hotel and hospitality industry.
What could Marriott have done to avoid the data breach?
Marriott could have used tokenisation and encryption techniques to secure the personal data in its databases. This could have helped to protect the data because tokenisation replaces data with an undecipherable token.
What is the Marriott data breach?
The Marriott data breach was a cyber attack on the Starwood Hotels database. Marriott acquired Starwood Hotels in 2016. As a result, over 339 million guest records were breached.
Why are hotels vulnerable to data breaches?
Hotels have a high number of transactions and collect sensitive personal data. This is why many believe that hotels are vulnerable to data breaches.
You may find these data breach guides helpful.
People who have experienced a data breach can suffer from emotional distress. This guide explains how to claim compensation for any psychological injuries or trauma experienced.
Employees’ personal data is supposed to be protected by employers. This guide will explain how to claim compensation if your employer has breached your personal data privacy.
Mortgage providers collect personal data from their clients. Read our guide to claiming compensation from your mortgage provider if they breached your personal data privacy.
Schools collect personal information about parents and guardians as well as children. Find out what you could do if you or your child suffer due to a school data breach.
Personal data breaches: an ICO guide
Be data-aware: an ICO guide
Find out what data an organisation has about you: a government guide
We hope you have found this guide on what you could do after a Marriott Hotels data breach helpful.
Guide by HC
Edited by RV