Marriott International and Starwood Hotels & Resorts agreed to a $52 million settlement with 50 state attorneys general and the Federal Trade Commission in October 2024, resolving charges that inadequate cybersecurity practices exposed more than 344 million guest records across multiple data breaches. The settlement represents one of the largest hospitality data breach settlements to date, reflecting the severity of security failures that allowed unauthorized access to sensitive guest information including payment card data and unencrypted passport numbers. If you stayed at a Marriott or Starwood property between 2014 and 2020, your personal information may have been compromised, and you may be eligible for compensation or remedies under this settlement. The breaches involved three separate incidents spanning from 2014 to 2020.
The first breach compromised payment card data of over 40,000 Starwood customers and went undetected for 14 months. The second breach exposed 339 million Starwood guest records, including 5.25 million unencrypted passport numbers—some of the most sensitive personal identifiers travelers carry. A third breach affected 5.2 million Marriott network guest records, with approximately 1.8 million belonging to American guests. Together, these breaches demonstrate a pattern of inadequate security controls that Marriott and Starwood failed to address promptly.
Table of Contents
- What Were the Three Marriott and Starwood Data Breaches?
- How Many People Were Affected by These Breaches?
- What Security Failures Allowed These Breaches to Occur?
- What Must Marriott Do Under the Settlement?
- What Happens to Your Personal Information Now?
- How to File a Claim and Check Your Eligibility
- What This Settlement Means for the Hospitality Industry
What Were the Three Marriott and Starwood Data Breaches?
The first recorded breach occurred between 2014 and 2015 at Starwood properties, affecting payment card data belonging to more than 40,000 customers. What makes this breach particularly troubling is that it remained undetected for 14 months before Starwood notified customers in November 2015. This extended exposure window meant that compromised credit card numbers were potentially available to hackers for over a year, during which fraudulent charges could have accumulated before cardholders were alerted to the problem. The second and most severe breach involved 339 million Starwood guest account records compromised between July 2014 and September 2018. This breach included names, email addresses, phone numbers, mailing addresses, and crucially, 5.25 million unencrypted passport numbers.
Passport information is particularly valuable to identity thieves because it contains government-issued identification that can be used for international travel fraud, passport replacement theft, and other sophisticated identity crimes. The four-year exposure period meant hackers had extended access to build comprehensive profiles on millions of travelers. The third breach occurred at Marriott systems between September 2018 and February 2020, compromising 5.2 million guest records on the Marriott network, including 1.8 million records belonging to U.S. residents. This breach happened after Marriott’s acquisition of Starwood in 2016, indicating that integrating Starwood’s systems into Marriott’s infrastructure did not improve security posture—in fact, the continued breaches suggest the opposite.
How Many People Were Affected by These Breaches?
In total, 344 million guest records worldwide were compromised across the three breaches. To put this scale in perspective, that exceeds the entire population of the United States by nearly 40 million records. The compromised data came from guests at Starwood brands (St. Regis, W, Westin, Sheraton, Le Méridien, Aloft, and Element), as well as Marriott’s own properties. For context, the 2017 Equifax breach, one of the most notorious consumer data breaches in history, affected approximately 147 million people.
The Marriott-Starwood breaches more than doubled that exposure. The scope extended globally, with guests from numerous countries affected, though the FTC particularly noted the American victims. The 1.8 million U.S. residents compromised in the third breach alone represent a substantial portion of Americans who may not even realize their travel information is at risk. This widespread exposure means that if you’ve stayed at any Marriott or Starwood property between 2014 and 2020, there’s a meaningful probability your personal information was exposed.
What Security Failures Allowed These Breaches to Occur?
The FTC’s investigation identified multiple critical security failures that left Marriott and Starwood vulnerable to these extended breaches. The company failed to implement adequate firewall controls, allowing unauthorized users to access guest databases. Marriott stored payment card data outside secure cardholder environments and left it unencrypted, violating fundamental PCI (Payment Card Industry) compliance standards that the hospitality industry has known about for two decades. Additionally, the company did not implement multifactor authentication, meaning that once hackers obtained login credentials, they had virtually unfettered access to guest systems.
Another failure was inadequate monitoring and logging, which contributed to the extended detection times. When systems aren’t properly monitored, intrusions can persist for months or even years before discovery. In the case of the first breach, the 14-month detection lag meant that security vulnerabilities weren’t addressed until guest notification was legally required. Comparing this to more security-conscious companies, firms like Apple and Google typically detect and remediate breaches within days or weeks, not months or years. Marriott’s lax monitoring left the door wide open for persistent attackers.
What Must Marriott Do Under the Settlement?
As part of the settlement, Marriott is required to submit annual compliance certifications to the FTC for the next 20 years, demonstrating that it has maintained adequate security controls. This two-decade oversight period is unusually long and signals the FTC’s concern that Marriott cannot be trusted to self-regulate in the near term. The company must also undergo independent third-party security assessments every two years, with results reported to regulators and executives.
Beyond certification, Marriott must implement enhanced data security practices using a risk-based cybersecurity approach, meaning the company should prioritize protections based on the sensitivity of data and likelihood of compromise. The settlement also mandates guest data deletion protections, ensuring that personal information is not retained longer than business necessity requires. These requirements represent a meaningful shift toward industry best practices, though security experts note that comprehensive multifactor authentication, encryption of all sensitive data, and continuous security monitoring—all standard practices at leading technology companies—should have been implemented without requiring regulatory enforcement.
What Happens to Your Personal Information Now?
If your data was compromised in one of these breaches, you may be at heightened risk for identity theft and fraud for years to come. Passport information, in particular, doesn’t expire quickly—a stolen passport number can be used to fraudulently obtain travel documents, open bank accounts, or commit international fraud long after the initial breach. Credit card fraud from the first breach may have already occurred during the 14-month detection window, but other forms of identity theft can emerge years later.
The settlement provides some financial compensation and remedy options for affected consumers, though the specifics vary depending on which breach affected you and what state you reside in. A limitation of this settlement is that it focuses primarily on financial penalties and future compliance rather than direct compensation to victims. Many consumers whose identities have been stolen wish they could recover losses from identity theft itself, but settlement funds are typically distributed based on documented fraud losses rather than providing blanket compensation for exposure risk.
How to File a Claim and Check Your Eligibility
To determine if you’re eligible for benefits under this settlement, you’ll need to check whether you stayed at any Marriott or Starwood property between 2014 and 2020. Both brands operated multiple hotel chains during this period, including luxury properties like St. Regis and W Hotels, as well as mainstream brands like Westin, Sheraton, and Aloft.
You can review your Marriott account or credit card statements to confirm stays during the affected timeframe. Specific claim procedures and settlement details are available through official channels and may involve submitting documentation of your stay, such as credit card receipts or Marriott loyalty program records. The FTC and state attorneys general websites provide updated information on claim filing deadlines and procedures. It’s important to note that claim windows for settlements are typically limited to one or two years from settlement announcement, so acting promptly is advisable if you believe you were affected.
What This Settlement Means for the Hospitality Industry
The Marriott settlement represents a significant enforcement action that signals to the broader hospitality industry that regulators take data security seriously. Hotels collect substantial amounts of sensitive guest information—payment cards, passport numbers, home addresses—making them attractive targets for cybercriminals. The 20-year compliance requirement and independent auditing obligations may prompt other major hotel chains to invest more heavily in security infrastructure, knowing that similar breaches could result in comparable penalties.
However, the settlement also illustrates a broader challenge in data security accountability. Marriott will pay $52 million, but for a corporation with annual revenue exceeding $19 billion, this represents a relatively modest financial impact—roughly equivalent to a one-quarter drop in quarterly earnings. Consumer advocates argue that penalties should be proportional enough to create genuine financial incentive for companies to invest in security, rather than treating fines as a business-line expense. The settlement’s focus on future compliance is important, but it underscores that regulatory enforcement, while valuable, may not be sufficient to prevent similar breaches at other hospitality companies without more substantial financial consequences.