Marriott Hotels GDPR Data Breach Compensation Claims Guide – How To Claim?

At the end of a long journey, few things are as pleasant as relaxing in a clean and well-run hotel. As you plan the next stage of your itinerary, the last thing you may be worried about is how a hotel could abuse your data. However, following a data breach by the Marriott hotel chain, this is exactly what happened. Over 300 million guests suffered a data breach, exposing personal information, passport information and payment details.

Marriott Hotels data breach compensation claims guide

Marriott Hotels data breach compensation claims guide

The Information Commissioners Office (ICO) issued the highest fine they could against the hotel chain. £18.4 million was levied against Marriott hotels for the data breach and failing to properly safeguard against the cyberattack that happened over a prolonged period of time.

They were deemed to have failed in their duty to ensure an overhaul of in-house security software when a merger deal with another hotel chain resulted in an ongoing cyber-threat.

Cybercrime like this is not as unusual as you might think and it’s on the increase. This article aims to clarify any questions you may have about data breaches within Marriott hotels. If you have evidence that the chain caused your private information to be exposed in a way that caused financial or emotional damage, speak to our team about your options for seeking compensation.

  • Call us for a free, informal consultation about how the claim could work on 0161 696 9685
  • Write or email with your evidence against Marriott hotels at Legal Helpline
  • Use the ‘live support’ option for instant advice or help

Select A Section

  1. A Guide On Claims For A Data Breach By Marriott Hotels
  2. What Is A Claim For A Data Breach Against Marriott Hotels?
  3. How Sharing Data With A Third Party Could Breach The GDPR
  4. The Marriott Data Breach Fine By The Information Commissioner
  5. Calculating Compensation Claims For A Data Breach By Marriott Hotels
  6. What Types Of Compensation May Be Awarded For Data Breaches?
  7. How Do I Get Help From the Information Commissioner?
  8. No Win No Fee Compensation Claims For The Data Breach By Marriott
  9. How To Get Help From A Specialist Data Breach Solicitor
  10. How To Claim Compensation For A Data Protection Breach
  11. Contact Us For Free Advice
  12. Marriott Hotels Data Breach FAQs
  13. Where To Learn More

A Guide On Claims For A Data Breach By Marriott Hotels

Our guide to the data breach by Marriott hotels aims to explain what you need to build an effective case for compensation if you can prove you were adversely affected by their 2018 data hack. We discuss how to assemble proof and how to find a No Win No Fee data breach solicitor.

Clearly, in order for a hotel chain to operate properly, they need to retain a good deal of personal information such as:

  • Names and addresses
  • Passport details
  • Bank details
  • Other sensitive information
  • Arrival and departure information
  • VIP details
  • Loyalty programme numbers

Under laws established in 2018 called the General Data Protection Regulation (GDPR), every company or organisation now has a strict responsibility to safeguard your private data. A breach can be classified as an accidental or deliberate loss, alteration, destruction or unauthorised sharing of this data without permission.

Marriott hotels were found in breach of GDPR rules by failing to halt a cyber-attack against a subsidiary chain of hotels they acquired. The cyberattack continued unnoticed and unabated for 4 years. During this period, the personal data of guests were exposed.

Seeking Compensation

If you can prove that you’ve been harmed by the data breach by Marriott, it could be possible to seek compensation. When you work with Legal Helpline, we could connect you to a data breach solicitor from our panel who could take up your case. They can ask any questions you have like how much compensation can you get for a data breach?

Calculating both financial and mental distress, your No Win No Fee data breach solicitor can build a case that could reverse the harm done to you by the negligence of data management in a major hotel chain.

These impacts can cause real harm. The stress of sudden financial loss or the violation of your personal identity on any level can create a tremendous amount of suffering. How is this rectified? One of the ways is through compensation and this article explains how.

What Is A Claim For A Data Breach Against Marriott Hotels?

Marriott hotels failed to increase its security quickly enough to prevent a breach that gave hackers free rein to access private data for around four years. In the UK, the breach included  7 million users. Perhaps you were one of them? If you have evidence of how the breach damaged your finances through bank fraud, your identity or credit rating, contact us now.

It’s important to note that Marriott promptly addressed the issue once it was discovered. Furthermore, they ‘deeply regretted’ the incident and installed immediate improvements to their data security. Obviously, this was too late for the 338 million or so guests who had to contend with the prospect of their personal information being exposed.

How Sharing Data With A Third Party Could Breach The GDPR

Data sharing is not intrinsically wrong. Many organisations thrive on sharing data and would be unable to provide an efficient service to their customers without it.

Consent is key. Every time we visit a website, purchase something online, send an email or visit social media sites we are tacitly or explicitly giving our consent to share data. Furthermore, some forms of data sharing do not require our consent at all.

There are three main groups involved in data sharing:

  • Controllers are the people or organisations that are in possession of our data and sets out the reasons for collecting it.
  • Processors are the companies who are tasked with processing that data, its upkeep, dissemination and transportation, and safe storage.
  • Third parties are those who receive the data for pre-agreed purposes.

GDPR rules require each party involved in this process to practice some core responsibilities with our data and its sharing, such as:

  • Lawfulness, fairness and transparency – ensuring the reasons for collecting data are lawful and obvious
  • Purpose limitation – only keeping data for specific, pre-agreed reasons
  • Data minimisation – collecting only the data that is strictly necessary
  • Accuracy – updating and checking the data is relevant and factual
  • Storage limitation – keeping data for finite periods of time.
  • Integrity and confidentiality (security) – behaving in accordance with these rules at all times and at all levels
  • Accountability – admitting a breach and promptly taking steps to address it.

In addition to these core principles, the ICO suggest other practical steps that businesses can take to ensure third-party sharing of data is water-tight. Companies that fail can face crippling fines. They also have a duty to report a breach within a 72 hour period.

The Marriott Data Breach Fine By The Information Commissioner

The ICO has two levels of penalty that they can use and unfortunately for Marriott Hotels, they received the highest fine of £18.4 million. According to the ICO’s commissioner, Elizabeth Denham, millions of people’s data was affected during the four-year window of exposure to cybercriminals. The Marriott data breach fine given by the ICO was one of the most high-profile they have issued.

Marriott fell foul of not checking the security status of Starwood Hotels, a chain of smaller hotels they acquired in a merger. As the two companies merged, the smaller one was already a victim of pre-existing cybercrime, unbeknownst to Marriott. Many considered it sheer bad luck but had their in-house security procedures been better, much could have been done to mitigate the damage.

An unknown hacker attached a ‘web shell’ on to a device in a Starwood Hotel in 2014. This enabled them to access the information of guests and make alterations or deletions. The malware allowed the cybercriminals to access the records remotely and obtain unrestricted and privileged access, which in turn could be sold online.

Calculating Compensation Claims For A Data Breach By Marriott Hotels

The impact of this on customers could be devastating on many levels. Luckily for claimants, the law on data breach compensation changed in 2015. Up to that point, it was necessary to show financial damage in order to claim any psychological harm. However, following the case of Vidal-Hall v Google Inc [2015], it’s now possible to claim compensation for either psychological harm or financial damage.

To give you an insight into the potential compensation awards for mental harm, we’ve compiled a table using the Judicial College Guidelines. Normally used to calculate personal injury cases of accident liability, it can now help you.

InjuryEffectsSuggested Award
Psychiatric Damage - SevereSevere problems that affect many areas of daily and social life.£54,830 to £115,730
Psychiatric Damage - Moderately SevereSignificant problems with daily life. But, there is a more optimistic prognosis.£19,070 to £54,830
Psychiatric Damage - ModerateMarked improvement shave been made, despite having struggles with various problems.£5,860 to £19,070
Psychiatric Damage - Less SevereThe effect on daily activities and sleep will be taken into account. £1,540 to £5,860
PTSD - SevereInability to function the same as pre-trauma due to permanent effects.£59,860 to £100,670
PTSD - Moderately SevereRecovery is possible with help from a professional, but the person will still likely suffer for the foreseeable future.£23,150 to £59,860
PTSD - ModerateLargely recovered with any persisting symptoms not being majorly disabling.£8,180 to £23,150
PTSD - Less SevereA full recovery is made within 2 years, with only minor problems persisting after this.£3,950 to £8,180

As the victim of a Marriott data breach you may have suffered anguish and mental damage in the following ways:

  • Anguish about who had your bank details
  • Sleeplessness and increased anxiety about identity theft
  • Post-traumatic stress disorder (PTSD) if you suddenly have a stalker from a data breach
  • Your children’s details are now freely available online
  • Acute worry or distress from imagined or real consequences of fraud
  • Constant fears generated by the risk of targetting
  • Depression caused by stress and worry
  • Travel phobias
  • Increased fear of strangers – damage to personal relationships
  • Trust issues

If a hotel data privacy breach happened to you, it’s possible to suffer from any or all of the conditions listed above. The success of calculating compensation for it will hinge on your ability to prove these mental health consequences. An independent medical assessment, undertaken as part of the claim, can provide the proof to sustain your case of injury caused by a data breach.

It’s important to note that evidence is essential, so if you think you have something that can prove ill-health caused by an avoidable lapse in customer care on this scale, speak to our team now.

What Types Of Compensation Can Be Awarded For Data Breaches

In addition to the damages classed as ‘non-material’ (i.e. not tangible in a monetary sense), you can claim compensation for the ‘material’ or financial impact of a data breach. This can be far-reaching.

Imagine if cybercriminals obtained your credit card details and proceeded to exhaust the funds? Or worse, used your passport and bank details to open new lines of credit in your name resulting in hundreds of thousands of pounds of newly acquired debt.

Crucially, these costs can accumulate for months after the initial fraud has been uncovered. Late fees, unauthorised overdraft use, credit card late fees and such can flood in for weeks or months after. Given that you only have one opportunity to make a data breach claim it’s essential that the amount calculated can cover all these ‘slow burn’ charges and debts. We cannot simply grab a figure for compensation out of the air. It’s essential that calculate the accurate extent when aiming for your compensation.

Also, gangs could use your details to target you for far more sinister motives. The stress of this could result in you missing work or needing counselling to deal with it. Each and every one of these financial impacts could be something that you can seek back as compensation in a data breach claim.

Speak to our team at Legal Helpline to see how we can offer the right advice about your situation.

How Do I Get Help From the Information Commissioner?

The ICO is not an organisation that pays compensation. In order to actually win damages, you need to represent your own case for personal and financial harm or hire the services of a data breach solicitor.

Cases like this can be protracted and complex, so it’s better to work with a lawyer who has the expertise and time to evaluate and guide your case properly. No Win No Fee arrangements offer an excellent solution to this, which we discuss in detail in the next section.

If you’ve been impacted by a data breach, the company involved has 72 hours to inform you. If they fail to do this, or if you suspect a data breach has happened and query it with them and receive no satisfactory response during the three month period they have to respond, you can ask the ICO to step in and investigate. The ICO will not usually consider data breaches that have gone past three months since the last meaningful contact or dialogue with Marriott.

Involving the ICO can greatly strengthen your case. At the very least it sends the message that you are serious about seeking redress from them and need a response. Marriott may offer to settle with you directly. If they do not, you can start to assemble the evidence needed to give your No Win No Fee lawyer the ability to construct your case for compensation.

No Win No Fee Compensation Claims For The Data Breach By Marriott

Undoubtedly, starting a data breach claim against a multi-national hotel chain may seem daunting. It’s important to remember that the failings on Marriott’s part have been established by the ICO.

Using a data breach solicitor in a No Win No Fee capacity offers some unique advantages. There are no upfront fees required, nor any while the case progresses. There are no fees to pay as the case moves forward (there is a 6-year time limit to starting a data breach claim or 1 year if the breach involved a violation of your human rights) and there’s nothing to pay to your solicitor if your case fails.

A successful Marriott data breach claim could result in you receiving compensation. If your case wins, a small and legally restricted amount goes to your data breach lawyer to help cover their fees. This is deducted from your compensation award. The rest of the money goes to you.

We understand that money cannot address the sense of violation created by having your personal details freely available online. The loss of privacy and peace of mind can be devastating. But it can halt the damage to your finances and help pay for your emotional recovery. Call us today to get your case started.

How To Get Help From A Specialist Data Breach Solicitor

Once you have established the evidence needed to prove you are a data breach victim, what do you do next? You can take your medical or financial proof of suffering to a local high street law firm but what guarantee have you got that they could evaluate your case properly?

In addition, you could use an online compensation calculator to generate a figure that may or may not fully take into account the true extent of the harm you’ve suffered. With only one chance at a proper claim, do you want to take this risk?

At Legal Helpline, we offer an introductory service to skilled data breach lawyers from our panel who handle cases across the country. With over three decades of experience, when you call our friendly team to chat over what happened, you could be starting a compensation claim with a No Win No Fee lawyer who truly grasps the enormity of what happened to you.

How To Claim Compensation For A Data Protection Breach

The data breach by Marriott hotels was a shocking and extreme case. If you can prove that Marriott or any other hotel breached data protection rules which resulted in harming you, get in touch. We’ve covered a lot of information in this guide, so to recap:

  • Firstly, you believe you have proof against Marriott hotels of a data breach
  • Secondly, you can put your concerns to them in writing
  • If you’ve done so already, you have not received a satisfactory response for a three month period
  • You may have taken your complaint to the ICO
  • Also, you can begin to assemble evidence to present to a data breach solicitor
  • Reach out to Legal Helpline for an introduction to a No Win No Fee data breach solicitor to represent you.

Contact Us For Free Advice

Thank you for reading this guide to making a claim for a data breach by Marriott. If you have evidence that Marriott hotels breached your data in a way that lead to financial or emotional damage, get in touch to see how we can help at Legal Helpline. You can:

  • Call on 0161 696 9685
  • Email or write to us with your evidence against Marriott at Legal Helpline
  • Use the ‘live support’ option, bottom right to access instant advice and help

Marriott Hotels Data Breach FAQs

In this section of our data breach claims guide, we’ve included some answers to commonly asked questions:

Do I need proof of a breach?

It’s important to point out that evidence of a data breach is essential. It’s neither ethical nor legal to start claims on the off-chance of obtaining damages from a company. At the beginning of your initial consultation, a good No Win No Fee lawyer will be frank about your chances of success. If they do not look good, they will tell you. Time-wasting is in no one’s best interests.

How do I make a data breach claim?

Firstly, you should express your concerns in writing to the hotel in question. If you fail to receive a satisfactory response within a three-month time period, you can involve the ICO. Involving the ICO is optional. You can also represent yourself in a data breach case. You do not have to have a lawyer to do it for you. In practice, however, it makes much more sense to let a professional handle your data breach claim as they can be time-consuming and legally complex.

What is the GDPR?

The General Data Protection Regulation (GDPR) came into effect in 2018. It seeks to safeguard our personal data. It provides guidance for on and offline use and clearly outlines to all concerned how our data should be handled.

What is the Data Protection Act?

The Data Protection Act 2018 was introduced to enact into UK law the GDPR. It sought to enshrine people’s rights to use data fairly, lawfully and transparently

Can I claim for a breach of the GDPR?

The landmark case of Vidal-Hall v Google that we looked at above changed how compensation can be awarded for material and non-material harms. In view of this, you can claim for either or both forms of damage under GDPR.

Where To Learn More

Victim support from data breach crimes is available and the ICO explains why our data matters. Also, you can read how to protect your data better in the future.

You can also check out some of our other data breach guides, including:

Thank you for reading our guide to the data breach by Marriott Hotels.


Guide by  JJW

Edited by REB