Marriott Data Breach Settlement: A Practical Guide for Hotel Guests
Understand what the Marriott data breach settlement means, what protections you have now, and how to better safeguard your personal information.
The long-running investigation into data breaches involving Marriott International and its Starwood guest reservation systems has led to coordinated settlements with the Federal Trade Commission (FTC) and attorneys general from almost every U.S. state. These actions require Marriott to overhaul its data security and provide new protections to millions of current and former guests whose personal information was at risk.
This guide explains what happened, what the settlement requires, how it affects you as a hotel guest, and the practical steps you can take to protect your information going forward.
Background: What Happened in the Marriott–Starwood Breach?
Marriott acquired Starwood Hotels & Resorts in 2016 and took control of Starwood’s reservation systems. However, investigators later found that intruders had been inside the Starwood network for years before and after the acquisition without being detected.
- Intrusion period: Attackers were in the Starwood system from approximately July 2014 through September 2018.
- Records affected: About 131.5 million guest records tied to U.S. consumers were impacted.
- Scope: The breach affected guests who made reservations at Starwood-branded properties (including brands Starwood operated before it was acquired by Marriott).
The multistate investigation and the FTC found that Marriott and Starwood failed to implement reasonable and appropriate security measures, even as they collected and stored large volumes of sensitive guest data.
What Types of Data Were At Risk?
The exposed records contained a wide range of personal and travel-related information about guests.
- Contact details, such as name, mailing address, email address, and phone number
- Demographic information, including gender and date of birth
- Loyalty program information, such as legacy Starwood Preferred Guest account details
- Reservation data, including arrival and departure dates and hotel stay preferences
- In some cases, unencrypted passport numbers
- In some cases, unexpired payment card details, including expiration dates and possibly other card data
The Future of AI: Preventing a Big Tech Monopoly >
Not every affected guest had all of these data elements exposed. In most cases, the records contained contact and reservation information, while only a smaller subset involved unencrypted passport or payment card data.
Key Settlement Actions: FTC and State Attorneys General
The response to the Starwood–Marriott breaches involved two main enforcement tracks:
- FTC enforcement action: The FTC brought a case requiring Marriott and Starwood to improve security practices and adopt stronger safeguards to prevent future breaches.
- Multistate settlement with attorneys general: A coalition of 50 state and territory attorneys general reached a separate settlement requiring Marriott to pay $52 million and to implement extensive cybersecurity reforms.
Although the FTC does not receive civil penalties under its order, the agency coordinated closely with the states to align the security reforms and consumer protections that Marriott must adopt globally.
What Marriott Must Change About Its Data Security
Under the settlements, Marriott is required to overhaul its approach to protecting guest data. The focus is on proactive, risk-based security rather than reactive, one-off fixes.
Core Security Improvements
- Comprehensive information security program: Marriott must implement and maintain a formal security program that covers its global operations, regular reporting to senior leadership, and board-level oversight of cybersecurity.
- Risk-based assessments: Marriott must conduct regular, enterprise-level risk assessments and analyze the security impact of changes to systems, especially those involving consumer data.
- Zero-trust principles: Some states highlight that Marriott is expected to incorporate modern security concepts such as zero-trust, which assume no user or device is trustworthy by default and require continuous verification.
- Better monitoring and detection: The company is required to improve logging, monitoring, and incident response so intrusions can be identified and contained more quickly.
- Stronger vendor and acquisition due diligence: Given that the breach stemmed from an acquired system, the orders emphasize security evaluation and remediation when Marriott buys or integrates other companies or technology platforms.
Data Minimization and Retention Practices
One of the most important lessons from the breach is that retaining large volumes of data for long periods increases the damage when a security incident occurs. The settlement requires Marriott to:
- Limit the collection of personal information to what is reasonably necessary
- Set clear retention periods for guest data
- Delete or de-identify information that is no longer needed for legal or business purposes
These data minimization measures reduce the “attack surface”—the amount of sensitive data available to criminals if they manage to compromise a system.
New Consumer-Focused Protections in the Settlement
Beyond internal security changes, the settlements create specific, ongoing rights and protections for hotel guests.
Data Deletion Rights
Marriott must give consumers the ability to request deletion of their personal data held by the company, even in states where such a right is not explicitly available under state law.
- You can ask Marriott to delete certain personal information associated with your account or reservations.
- The company may still retain some information if required for legal obligations, fraud prevention, or other limited purposes allowed by law.
Stronger Protection for Loyalty Accounts
Many affected guests used loyalty programs like Marriott Bonvoy. Because these accounts often hold substantial personal and travel data—and may be linked to stored payment methods—the settlement imposes specific requirements.
- Multi-factor authentication (MFA): Marriott must offer MFA for loyalty accounts, meaning users need an additional verification step (such as a one-time code) beyond just a password.
- Suspicious activity reviews: Marriott is required to review loyalty accounts when there are indications of unusual or suspicious activity.
MFA is widely recognized as one of the most effective steps regular users can take to strengthen account security, especially against credential stuffing and phishing attacks.
Table: Main Consumer Protections at a Glance
| Protection | What It Means for You |
|---|---|
| Data deletion option | You can request that Marriott remove certain personal data it stores about you, subject to legal exceptions. |
| Multi-factor authentication for loyalty accounts | You can enable extra login security on programs like Marriott Bonvoy to reduce the risk of account takeover. |
| Improved monitoring of suspicious activity | Marriott must review and address suspicious patterns in loyalty accounts and other systems more quickly. |
| Risk-based security program | Guest data should be handled according to a structured, continually updated security process rather than ad hoc measures. |
| Data minimization | Less unnecessary data will be stored about you, reducing exposure if future incidents occur. |
Does the Settlement Mean You Will Receive Money?
The multistate settlement requires Marriott to pay a total of $52 million, distributed among the participating states and territories. This money is primarily a penalty and may also support state consumer protection work; it is not automatically distributed as direct payments to individual consumers.
Some states may pursue additional consumer restitution or direct relief programs, but that depends on state law and separate processes. If any claim or restitution programs become available, they are typically announced through official state attorney general or FTC channels.
Steps You Can Take If You Stayed at a Starwood or Marriott Property
Even though the breaches centered on Starwood systems, the investigation and the large number of records affected make it wise for many hotel guests to take precautionary steps.
1. Secure Your Loyalty and Hotel Accounts
- Enable multi-factor authentication: Turn on MFA for Marriott Bonvoy and any other linked accounts as soon as possible.
- Use unique, strong passwords: Avoid reusing the same password across email, banking, and travel services. A password manager can help create and store complex passwords.
- Review account activity: Check for unfamiliar reservations, redemptions of points, or changes to your contact details.
2. Monitor Your Financial Accounts
Because some records included unencrypted payment card information, you should keep an eye on your financial statements and consider additional protections.
- Review credit card and bank statements regularly for unauthorized charges.
- Sign up for account alerts (text or email notifications) from your bank or card issuer.
- Immediately report suspicious charges to your financial institution and request a new card if needed.
3. Protect Your Identity and Credit
If your passport details or other sensitive information may have been exposed, you can adopt broader identity protection measures:
- Check your credit reports from major credit bureaus at least annually.
- Consider placing a fraud alert or credit freeze with the credit bureaus if you suspect misuse of your data.
- Watch for phishing attempts that reference your travel history or hotel stays.
4. Use Your Data Deletion Option
If you no longer stay at Marriott or you prefer to reduce the amount of information the company stores about you, explore the data deletion mechanisms Marriott is required to provide under the settlement.
- Visit Marriott’s privacy or data request page, or contact customer service to ask how to submit a deletion request.
- Keep records of your request, such as confirmation emails or reference numbers.
What This Case Signals for the Travel and Hospitality Industry
The Marriott case is one of the most visible examples of large-scale enforcement over hotel and travel data security.
- Large penalties and broad reforms: The $52 million payment and global security obligations send a signal that regulators expect strong cybersecurity from companies that hold large pools of personal and payment data.
- Focus on acquisitions: Regulators scrutinized how Marriott assessed and addressed security risks when it acquired Starwood, underlining that mergers and acquisitions are critical points for cybersecurity due diligence.
- Consumer control over data: The required data deletion option reflects a broader shift toward giving people more say in how long companies keep their information, even where local law is less explicit about such rights.
As a result, other hotel chains, airlines, and travel platforms are likely to review their own incident response and data security programs to avoid similar enforcement actions.
Frequently Asked Questions (FAQs)
Q1: How do I know if I was affected by the Marriott–Starwood breach?
Marriott previously notified many affected guests through email or other direct channels after the breach was discovered. If you stayed at a Starwood-branded hotel between 2014 and 2018, your data may have been in the impacted reservation system, even if you do not remember receiving a notice. You can contact Marriott directly to ask whether your information was involved.
Q2: Is my information still at risk now?
The breaches that triggered the settlements involved historic intrusions into Starwood systems that have since been retired or remediated. The current risk mostly involves how any already-exposed data could be misused by criminals, for example, in identity theft or phishing attempts. Using MFA, monitoring financial accounts, and limiting what data you share with any service can reduce the risk of future misuse.
Q3: Does the settlement erase the past damage?
No legal settlement can retroactively remove information that may already have been copied or sold by attackers. However, the FTC and multistate settlements aim to reduce the likelihood of future incidents and to improve monitoring, detection, and response if something does occur. The new consumer protections—like MFA and data deletion options—also help you limit future harm.
Q4: Will I automatically get free credit monitoring?
The multistate settlement focuses on penalties paid to states and on structural security reforms. Any decision to provide free credit monitoring typically comes as part of a separate breach-response effort or class-action settlement. Check official notices from Marriott, the FTC, or your state attorney general for any updates about additional consumer services.
Q5: What should I do if I think someone used my information fraudulently?
If you suspect fraud or identity theft, promptly contact your bank or card issuer, change passwords for affected accounts, consider placing a credit freeze or fraud alert, and file a report with relevant authorities such as the FTC’s identity theft resources. Early action makes it easier to contest fraudulent charges and limit longer-term harm.
References
- AG Campbell Announces $52 Million Settlement With Marriott for Breach of Guest Reservation Database — Massachusetts Attorney General. 2024-10-09. https://www.mass.gov/news/ag-campbell-announces-52-million-settlement-with-marriott-for-breach-of-guest-reservation-database
- Marriott Data Breach Affected Millions of New York Customers, Attorney General James Secures $2.29 Million for New York — New York Attorney General. 2024-10-09. https://ag.ny.gov/press-release/2024/attorney-general-james-announces-52-million-multistate-settlement-marriott-over
- Attorney General Raoul Announces $52 Million Settlement Agreement With Marriott for Data Breach of Starwood Reservation Database — Illinois Attorney General. 2024-10-09. https://illinoisattorneygeneral.gov/news/story/attorney-general-raoul-announces-52-million-settlement-agreement-with-marriott-for-data-breach-of-starwood-reservation-database
- AG Yost Announces $52 Million Agreement with Marriott Over Data Breach — Ohio Attorney General. 2024-10-09. https://www.ohioattorneygeneral.gov/Media/News-Releases/October-2024/AG-Yost-Announces-$52-Million-Agreement-with-Marri
- Attorney General Josh Stein Reaches $52 Million Multistate Data Breach Settlement with Marriott — North Carolina Department of Justice. 2024-10-09. https://ncdoj.gov/attorney-general-josh-stein-reaches-52-million-multistate-data-breach-settlement-with-marriott/
- FTC Takes Action Against Marriott and Starwood Over Multiple Data Breaches — Federal Trade Commission. 2024-10-09. https://www.ftc.gov/news-events/news/press-releases/2024/10/ftc-takes-action-against-marriott-starwood-over-multiple-data-breaches
- FTC and State AGs Settle with Marriott over Starwood Data Breaches — Alston & Bird LLP. 2024-10-15. https://www.alston.com/en/insights/publications/2024/10/ftc-state-ags-settle-marriott-over-data-breaches
Read full bio of medha deb





