Marriott Data Breach Class Action Lawsuit


Starwood guest reservation database was accessed for years by an unauthorized third party between July 2014 and September 2018 (read more here). The breach is believed to have been done by a state-sponsored actor.

Marriott took over Starwood in 2016. The breached continued for two years under Marriott’s watch. UK Information Commissioner’s Office (ICO) fined Marriott £99M on behalf of EU/EEA countries based on the new GDPR legislation in July 2019, and Marriott is currently appealing the decision. We should know the result of this ICO proceedings at the end of September.

You can access the Marriott Data Breach Claim website here.

Note that only those that live in England or Wales who stayed at any Starwood property worldwide before September 10, 2018, are part of the class unless they decide to opt-out.

Here’s the press release about this class action:

Download (PDF, 178KB)


Not sure why this class action is only open for those living in England and Wales (not even the entire UK is included)? The GDPR legislation applies to the entire European Union and EEA countries. Perhaps there is another case for us others to join in?

I don’t think large corporations will pay adequate attention to leaking data until they get fined amounts that make a material difference to their quarterly/yearly numbers, and financial standing.

The Starwood data breach was massive. Hundreds of millions of records, including names, addresses, credit card numbers, and passport information, were vacuumed. It is unbelievable that a breach of this magnitude was able to continue for more than four years.

Here are the frequently asked questions about this process: