Marriott International agreed to a $52 million multistate settlement announced in 2024 by 50 attorneys general investigating a massive data breach affecting 131.5 million guest reservation records. The settlement represents one of the largest hospitality industry breaches on record, exposing personal information including names, email addresses, phone numbers, dates of birth, passport numbers, and payment card details belonging to millions of hotel guests and loyalty program members who stayed at Marriott and Starwood properties between 2014 and 2018. The breach persisted for nearly four years—from July 2014 to September 2018—before being discovered.
What makes this breach particularly significant is that Marriott acquired Starwood Hotels in 2016 and unknowingly inherited the compromised databases and network infrastructure that criminals had already penetrated. Even after the acquisition, security vulnerabilities remained undetected until attackers were finally identified nearly two years later. This settlement requires Marriott to implement comprehensive security improvements including multi-factor authentication for loyalty accounts, customer data deletion options, and enhanced monitoring practices. The settlement addresses not just state-level enforcement actions but also Federal Trade Commission action taken in October 2024 against both Marriott and Starwood for their failure to protect guest data and secure systems adequately.
Table of Contents
- What Happened in the Marriott Data Breach and Who Was Affected?
- How Long Did the Breach Go Undetected and What Were the Failures?
- What Data Types Were Exposed and What Are the Risks?
- What Does the $52 Million Settlement Actually Require Marriott to Do?
- What Are the Limitations of This Settlement for Affected Guests?
- What Does the FTC Action Add to This Settlement?
- What Should You Know About Future Data Breach Litigation and Your Rights?
- Conclusion
What Happened in the Marriott Data Breach and Who Was Affected?
The Marriott data breach began in July 2014 when intruders gained unauthorized access to Starwood Hotels’ reservation database systems. Starwood operated multiple brands including the W Hotels, St. Regis, Sheraton, Westin, and Le Méridien chains. The attackers remained inside Starwood’s network undetected for more than four years, accessing and exfiltrating guest data continuously. After Marriott’s $12.2 billion acquisition of Starwood in 2016, the company inherited these compromised systems without immediately realizing the full extent of the security breach that had already occurred.
The 131.5 million compromised records contained sensitive personal information that puts affected guests at ongoing risk. The exposed data includes names, email addresses, phone numbers, physical addresses, dates of birth, gender, passport numbers (some unencrypted), reservation dates and preferences, loyalty program membership numbers, and limited unexpired payment card information. For travelers who used hotel reward programs, their preference data was also exposed—information like room preferences, frequent flyer program numbers, and special requests that frequent business travelers provide to ensure consistent experiences. A specific example of the breach’s scope: any guest who stayed at a Starwood property between 2014 and 2016, or any Marriott property after the acquisition through 2018, could have had their full reservation profile accessed. Someone who made a reservation in 2015 at a Sheraton in Chicago, provided a passport number for an international reward member account, and linked a credit card would have all three data points exposed to the attackers who maintained access throughout this period.
How Long Did the Breach Go Undetected and What Were the Failures?
The breach remained undetected for over four years—a critical failure in network monitoring and security practices. Starwood did not implement adequate intrusion detection systems that would have alerted them to the unusual data access patterns. When the breach was finally discovered in September 2018, attackers had maintained sustained access to the reservation database, continuously extracting records without triggering security alerts.
Marriott’s post-acquisition security review failed to identify the existing compromise, meaning the company was unknowingly operating with intruders already embedded in critical systems for two additional years after buying Starwood. The limitation of relying solely on acquisition procedures is evident here: when companies merge, they typically conduct standard due diligence reviews, but these often focus on financial records, contracts, and IT infrastructure capability rather than deep forensic analysis of past security incidents. The Marriott-Starwood acquisition closed in September 2016, but it wasn’t until September 2018—two years later—that the full extent of Starwood’s pre-acquisition breach became known. Warning: If you stayed at either Starwood or Marriott properties between 2014 and 2018, your data was likely exposed, even if you were unaware of the breach until this settlement was announced years later.
What Data Types Were Exposed and What Are the Risks?
The categorization of exposed data matters for determining which guests face the highest risks. Payment card information was the most immediately actionable data for fraudsters, though Marriott noted that most card data on file had expired by the time the breach was discovered. However, the persistent data categories—passport numbers, dates of birth, email addresses, and phone numbers—create long-term identity theft and social engineering risks. Attackers who obtained passport numbers can attempt to impersonate guests in travel fraud, use the information for identity theft, or cross-reference data with other breaches.
A specific example of the compounding risk: if attackers combined Marriott data with other breaches (such as the 2017 Equifax breach), they could potentially construct complete identity profiles. Someone’s name, date of birth, and passport number from Marriott, combined with Social Security number, employment history, and credit information from other sources, creates a robust identity theft package. The unencrypted passport numbers in particular represent a long-term vulnerability since passport numbers remain the same for ten years. The hotel preferences and loyalty program membership data exposed also creates social engineering risks. Knowing that a guest stays frequently at luxury properties, prefers specific room types, and travels with specific airlines, scammers can craft highly targeted phishing emails that appear to come from Marriott or hotel partners, reducing the likelihood that someone notices the attack.
What Does the $52 Million Settlement Actually Require Marriott to Do?
The settlement includes specific operational and financial commitments beyond the monetary payment. Marriott must implement multi-factor authentication for all Bonvoy loyalty program accounts, making it harder for attackers to gain access even if they have passwords or compromised credentials. The company must provide guests with the ability to request deletion of stored personal data from Marriott’s systems, though this applies to prospective requests rather than retroactive deletion. Additionally, Marriott must conduct regular account security reviews and overhaul its data security practices, including implementing enhanced encryption for sensitive data, improving access controls, and establishing better intrusion detection monitoring.
The comparison between settlements is instructive: while $52 million sounds substantial, it represents a relatively small portion of Marriott’s annual revenue—the company reported nearly $30 billion in revenue in 2023. For affected guests, the settlement’s individual payouts depend on the specific state law and claim structure. Some states in the settlement will offer automatic compensation to confirmed affected users, while others require filing claims. The tradeoff of this settlement is that it does not cover class action claims for private lawsuits—which is a significant limitation explained in Section 7 below.
What Are the Limitations of This Settlement for Affected Guests?
A major limitation emerged in June 2025 when the U.S. Court of Appeals for the 4th Circuit reversed class action certification in a private lawsuit against Marriott related to this breach. The court held that Marriott did not waive its right to enforce a class-action waiver contained in the Bonvoy loyalty program terms. This means that guests who enrolled in Marriott’s loyalty program agreed to binding arbitration and class-action waivers in the terms of service, even if they never explicitly read or understood these provisions. Warning: this reversal significantly limits the ability of individual guests to pursue private class actions for damages, even though the government settlement with 50 attorneys general proceeded separately.
The distinction is important: the $52 million settlement comes from state attorneys general enforcement action for unfair and deceptive practices, not from individual victims recovering compensation through the civil legal system. While the state settlement requires security improvements and provides some restitution, affected guests cannot pursue additional private class action claims against Marriott due to the arbitration waiver enforcement. Individual guests would need to pursue arbitration separately, which is typically costly and less favorable than class actions. Another warning concerns the adequacy of the $52 million amount for 131.5 million affected records. Divided evenly, this represents roughly $0.39 per exposed record—though actual compensation will vary based on state law, what data was exposed, and whether guests file claims. In reality, most affected guests will not receive direct payments because claiming processes require documentation of damages and involvement, which most casual hotel guests cannot demonstrate.
What Does the FTC Action Add to This Settlement?
The Federal Trade Commission took separate action against Marriott and Starwood in October 2024, providing additional enforcement beyond the state attorneys general settlement. The FTC’s action specifically focused on Marriott and Starwood’s failure to implement reasonable safeguards for personal information and failure to secure payment card data in compliance with federal standards. The FTC concluded that the companies did not implement adequate network segmentation, monitoring, or encryption—standard security practices that major companies in the hospitality industry should maintain.
The FTC action adds regulatory teeth to the settlement, as it can involve ongoing compliance monitoring and additional penalties if Marriott fails to implement required security measures. However, the FTC action itself does not create a separate compensation fund for affected guests—it enforces security improvements and prevents similar violations going forward. This example shows how federal and state enforcement work in parallel: states pursue consumer protection and restitution, while the FTC enforces data security standards and prevents unfair practices.
What Should You Know About Future Data Breach Litigation and Your Rights?
The Marriott settlement and subsequent class action reversal illustrate an evolving landscape in data breach litigation. Increasingly, companies require customers to agree to arbitration and class-action waivers as conditions of service, which limits the ability to pursue collective remedies through the courts. The 4th Circuit’s decision to enforce Marriott’s arbitration waiver suggests that guest agreements in loyalty programs, hotel reservations, and digital services will likely shield companies from broader class action exposure, even when breaches affect millions.
Looking forward, this settlement demonstrates that state attorney general enforcement remains one of the most effective tools for data breach remediation, since these actions operate independently of private arbitration agreements. Guests should be aware that if they stayed at Marriott or Starwood properties between 2014 and 2018, they may be entitled to compensation under the settlement, and they should check their state’s specific procedures for claiming benefits. Keep documents related to stays during this period, including confirmation numbers and credit card statements, as evidence of potential eligibility.
Conclusion
The Marriott $52 million multistate settlement addresses one of the hospitality industry’s largest data breaches, exposing 131.5 million guest records over a four-year period that neither Starwood nor post-acquisition Marriott detected. The settlement requires Marriott to implement comprehensive security improvements including multi-factor authentication, data deletion options, and enhanced monitoring, while providing restitution to affected guests through a process managed by individual states. The settlement also reflects broader regulatory action by the FTC, which took enforcement action in 2024 for inadequate data security practices.
If you stayed at a Marriott or Starwood property between July 2014 and September 2018, take steps to check whether you’re eligible for compensation under the settlement in your state. Monitor your accounts for suspicious activity, consider placing fraud alerts with credit bureaus, and be cautious about phishing emails that reference your hotel stays or loyalty account. As the Marriott case shows, data breaches from years earlier can surface in settlements years later, and being proactive about your account security remains the most effective protection against identity theft resulting from these exposures.