What you need to do following the Marriott data breach

data breach solicitors

The Marriott data hack is already being called one of the most serious data breaches of its kind. So much so that two US-based law firms have already filed class action lawsuits against Marriott International.

But if you are a UK customer worried about how the hack will affect you, what should you do to protect yourself?

What happened in the Marriott data breach?

On September 8, 2018, Marriott became aware that hackers had managed to access its Starwood guest reservation database. However, when investigating the breach it was uncovered that cybercriminals had enjoyed access to this database since 2014.

During this time the hackers accessed, copied and removed the private data of around 500 million customers.

Marriott is still working with cybersecurity experts to determine the scope of the breach.

What data has been put at risk due to the Marriott data breach?

Marriott has admitted that the stolen information includes names, mailing addresses, phone numbers, email addresses, passport numbers, dates of birth, gender, guest account information, reservation dates, and more.

Worse, Marriott has said that it has not been able to rule out that credit card information has also been exposed. And, while Marriott used an encrypted credit card system, it admits that the hackers could have stolen the encryption keys needed to decrypt this financial data.

Security experts have widely criticised Marriott for its “lacklustre” response following the data breach. For example, while the company has sent out millions of emails warning of the massive data breach, the email sender’s domain “email-marriott.com” doesn’t load, and doesn’t look like it comes from Marriott (it also has no identifying HTTPS certificate). So there is no easy way to check that the domain is real.

Should you be worried?

If you are a Marriott customer who has made a reservation at one of the affected hotels between 2014 and September 2018, then unfortunately yes.

Customers who have been affected should soon know if their data has been put at risk (if you haven’t been told already). If you are a Marriott International customer and you haven’t received an email make sure that you check your junk mail folder.

If you haven’t received an email but are still worried you should call the dedicated call centre Marriott has established to answer questions you may have about this incident. You can find out more about this here.

The theft of personal and financial information could lead to identity and financial fraud which has the potential to turn a person’s life upside down. And, as we don’t yet know what has been done with this data, or who has managed to get their hands on it, it is vital that you do everything you can to protect yourself.

What can you do to protect yourself?

Those affected by the Marriott data breach should do the following as soon as possible:

  • Inform the Information Commissioner’s Office (ICO)about your concerns. The ICO is the independent authority charged with upholding data protection rights in the UK. The ICO is currently making enquiries into the data breach. While it does not award compensation, if the ICO believes that Marriott International was negligent when looking after your data you can use this information in court to help prove your claim
  • Read our handy step-by-step guide to making a data breach claim
  • If you are worried that your banking details have been exposed, contact your bank immediately
  • Beware of fraudsters who attempt to gather personal information (phishing)
  • Report any suspected phishing attempts to the police and relevant authorities
  • Look out for any bills or emails showing goods or services you haven’t ordered, or any unfamiliar transactions on your account and alert your bank or card provider immediately if there is any suspicious activity
  • Keep an eye on your credit score for any unexpected dips. Call Credit, Experian and Equifax to ensure credit isn’t taken out in your name
  • Beware of any unsolicited communications that refer you to a web page asking for personal data
  • Register with a suitable fraud prevention service
  • Change your passwords on all your accounts
  • If you are offered any form of compensation or free services it’s important to check the small print. For example, it is thought that Marriott is offering a free subscription to the Webwatcher service to monitor for evidence of customers’ details being used online. Be careful that in accepting any offer you are not giving away your rights to pursue a separate data breach compensation claim at a later date.

Can you claim compensation following the Marriott data breach?

If you are a Marriott International customer and you have suffered financial loss or distress because of the data breach you could be entitled to compensation. Many people suffer anguish, anxiety and stress after a data breach and this can have a significant impact on you mentally and physically. Effects can include a lack of sleep, feeling ill, unsettled or confused. Stress can also affect your friends, your family and your job.

To date, Marriott has offered no monetary reparation. This is despite calls in the US for Marriott International to cover the cost of replacing passports for consumers impacted by the breach. However, even if compensation is offered, it’s vital that you are not fobbed off by a low amount.

Committed to helping victims of data breaches and cybercrime to achieve the justice they deserve, at Hayes Connor Solicitors we are now considering launching a group action to compensate UK victims of the Marriott data breach. We can take on your claim on a no-win, no-fee basis. Our initial assessment is always free. We’ll ensure that you are fully informed on this matter and will notify you about the investigation and your legal rights when making a claim.

If you have received an email from Marriott letting you know that your details have been put at risk, get in touch. We’ll let you know if and when you can claim. You can also read our step by step guide to making a data breach claim here.