Hotel Data Breaches

When you make a booking with a hotel, whether directly or through an online platform such as or Expedia, you are required to hand over a lot of sensitive personal information, including your name, address, date of birth and payment details.

If that personal information is exposed in a data beach, it can be very serious, opening you up to the potential for fraud, as well as significant worry and emotional distress. Should you be a victim of a hotel data breach, it might be comforting to know that you may be entitled to compensation.

Any hotel or hotel booking platform that collects, processes and stores your personal data has a legal obligation to keep that data safe. This is covered by the Data Protection Act 2018, which is the UK version of the General Data Protection Regulation (GDPR).

If you have suffered financial damage, emotional distress, or a loss of privacy due to a hotel breaching any part of the Data Protection Act 2018, you have a right to claim compensation.

At Hayes Connor Solicitors, we have a wealth of combined experience helping people to claim compensation where their personal data has been lost, stolen or otherwise exposed due to breaches of data protection laws, including in hotel data breaches.

As one of the largest teams of data breach experts in the UK, we can help you claim everything you are entitled to for a hotel data breach. Even if you have not suffered any financial losses, you may still be able to claim.

Worried that making a claim will be difficult or stressful at an already tough time? Our team will work closely with you, keeping the process as simple and straightforward as possible. We’ll explain everything in plain English and keep you up to date on progress at all times, so you’ll never be left confused or wondering what is happening or what you need to do next.

See what our clients say about working with us

Where we believe you have a case for claiming hotel data breach compensation, we may be able to act for you on a no win, no fee basis, removing any financial risk from the process of making a claim.

Think you are entitled to compensation for a hotel data breach? Use our simple and secure online claim form to share the details of your situation and we will get back to you shortly to let you know whether we can help.

To speak to a member of our team now about what to do if your personal details have been exposed in a hotel data breach, please call us on 03300415139.

Click here to read on.

Making a hotel breach compensation claim

Are you owed compensation for a hotel data breach?

Fundamentally, if a hotel or hotel booking platform has failed in its legal obligations under the Data Protection Act 2018 and your personal data has been exposed as a result, you will be owed compensation. This is true even if you have not suffered anything specific due to the breach.

Knowing whether an organisation has breached the Data Protection Act can be difficult, but fortunately this is not something you will usually need to worry about. This is because any organisation that suffers a data breach is legally required to tell the Information Commissioner’s Office (ICO), which will then carry out an investigation.

ICO will determine whether a data breach has occurred and this will be made public. This makes things much simpler for anyone wishing to pursue a claim, however, it does mean it is normally necessary to wait for the result of their investigation before making a claim.

What compensation can you get for a hotel data breach?

This will all depend on how the breach has affected you. There is no requirement to show that you have suffered any specific harm in order to be able to claim compensation, but generally you will be able to claim more substantial damages if you can show one or both of the following:

Financial losses

For example, if your financial details were fraudulently used to make payments or take out credit in your name.


For example, if the stress of a data breach has left you with difficulty sleeping, feeling ill, unsettled and/or confused.

Is there a time limit to claim hotel data breach compensation?

The standard time limit to make a data breach claim is 6 years.

However, this is not necessarily counted from the date the breach occurred, but rather the time when you first became aware of it (or should reasonably have been aware of it). In most cases, this will be when the organisation that held your data notifies you of the breach in line with their legal obligations under the UK’s data protection laws.

We recommend speaking to us as soon as possible to give you the best chance of being able to claim, but it is still worth getting in touch even if you think you may have missed your chance as the time limits can be complicated, so you might still have time to claim.

How to start a hotel data breach claim

You first need to find out whether you have grounds for a claim. Our professional, friendly team will be happy to discuss a potential hotel data breach compensation claim with you and provide clear advice on whether we believe you may be owed compensation.

If you are not sure whether your personal details have been misused or mishandled, we can find this out for you.

Where we determine there is likely grounds for a claim, we will take care of the whole claims process for you. We will contact the organisation responsible for the breach and work tirelessly to ensure you get the compensation you are owed.

To get the claims process started, you can use our simple and secure online claim form to share the details of your situation and we will get back to you shortly to let you know whether we can help.

Or, if you want to speak to a member of our team, please get in touch.

Hotel data breach FAQs

Under the terms of the Data Protection Act 2018, any organisation that suffers a data breach is obliged to notify anyone whose data may have been affected. This does not always work out in practice, however, as organisations do not always meet this legal obligation and, even if they do, the relevant emails can easily be missed.

In many cases, victims only find out about a data breach when an organisation is fined by the Information Commissioner’s Office (ICO).

If you think you may have been the victim of a data breach (e.g. you are suddenly getting more spam emails and/or cold calls) you can check with to see if any emails you use have been compromised in a data breach.

Where a hotel (or any other organisation) suffers a data breach, they have a legal duty to inform the Information Commissioner’s Office (ICO). If you have been notified or a breach, this should already have happened, but it is a good idea to check.

If you believe you have been the victim of fraud following a data breach, you should report this to the police and Action Fraud.

In the wake of a data breach, ICO will normally recommend that the organisation responsible takes various actions to reduce the risk of future breaches. Sadly, such recommendations are not always acted upon, so there is no guarantee an organisation that has suffered one data breach will not experience another in future.

One option to prevent your data being exposed against is to request that an organisation delete any data is holds about you. You can then be confident there is no risk of them allowing your data to be exposed again in future.

You can contact a hotel directly to ask them to delete your data or our data breach experts would be happy to discuss how we can help with this.

Examples of hotel data breaches

Millions of people’s payment details at risk from and Expedia data breach

The payment details of millions of hotel customers may have been leaked due to a data breach affecting the software company behind a major hotel reservation system.

In a breach first uncovered on 6 November 2020, it was found that a cloud-based system used by leading hotel booking companies including and Expedia to process bookings had no security in place.

The data at risk covers bookings as far back as 2013 and includes highly sensitive data, including credit card and CVV numbers, full names, addresses and ID numbers of guests, as well as details about customers’ reservations.

Read more about the and Expedia data breach.

How to stay safe following a hotel company data breach

If you are concerned that your personal details have been stolen or otherwise exposed in a hotel data breach, the following steps can help to minimise the risk of further harm:

  1. Contact your bank or credit card company – if you believe your financial details may have been exposed.
  2. Change your passwords – both on any affected accounts and anywhere else you’ve used the same ones.
  3. Get up to date cybersecurity software – this can protect you from being targeted by any cybercriminals who get hold of your data.
  4. Register with the Cifas Protective Registration service – they’ll make sure extra checks are carried out if anyone tries to take out products or services in your name.
  5. Report the breach to the Information Commissioner’s Office – they can investigate how the breach happened and take action against the organisation responsible.
  6. Speak to a data breach expert – as well as telling you if you’re entitled to compensation, they can also advise you on having your data removed, so you aren’t at risk from future breaches at the same company.

Find out more about what to do if your data has been stolen in a data breach.

Start your hotel data breach claim today

At Hayes Connor Solicitors, we help you to claim compensation and steer you through the aftermath of a hotel data breach – minimising the impact on you as much as possible.

With strict time limits in place for making a hotel data breach claim, it’s important to act now to make sure you don’t miss out on your right to compensation.

You can find out more about our expertise and how we handle claims here. To have your claim assessed for free, you can use our secure online claim form. Or to speak to a member of our team, please do not hesitate to give us a call on 0330 041 5137.