Between 2014 and 2020, Marriott International suffered three separate data
breaches that collectively exposed the personal information of approximately
344 million hotel guests worldwide. The most significant breach originated
in the Starwood Hotels reservation system in 2014-two years before
Marriott acquired Starwood-and remained undetected for over four years,
compromising 339 million guest records including 5.25 million unencrypted
passport numbers. The FTC imposed a 20-year consent order, a 49-state
attorney general coalition extracted $52 million in settlements, and the
UK Information Commissioner’s Office levied a separate £18.4 million
penalty under GDPR.
## Key Facts
- .**What:** Three breaches over six years, starting in acquired Starwood systems.
- .**Who:** 344 million hotel guests worldwide.
- .**Data Exposed:** 5.25M unencrypted passport numbers, payment cards, and personal details.
- .**Outcome:** FTC 20-year order, $52M state settlement, and UK GDPR fine.
## What Was Exposed
- .Names, mailing addresses, phone numbers, and email addresses for up to
339 million guests in the primary breach
- .Passport numbers for approximately 5.25 million guests, stored unencrypted
in the Starwood reservation database
- .Starwood Preferred Guest (SPG) account numbers and loyalty program details
- .Dates of birth for a substantial subset of affected guests
- .Arrival and departure dates, reservation details, and communication preferences
- .Payment card numbers and expiration dates for approximately 8.6 million cards,
encrypted with AES-128 but with evidence that decryption keys may have been
compromised
- .Additional records from a 2020 breach affecting 5.2 million guests via
compromised employee credentials
The exposure of 5.25 million unencrypted passport numbers was an unprecedented
element of this breach. Passport numbers, combined with names and dates of
birth, can be used for identity fraud at international borders, fraudulent
visa applications, and sophisticated impersonation.
For guests who traveled internationally through Marriott/Starwood properties,
the combination of passport data with travel dates and hotel locations
created a detailed intelligence profile of their international movements.
## Three Breaches, One Pattern of Failure
**Breach One (2014-2018):** The primary breach began in July 2014,
when attackers gained access to the Starwood Hotels reservation system. The
Starwood system used a legacy architecture with limited segmentation and
monitoring capabilities. Attackers installed a remote access trojan (RAT)
and a web shell, establishing persistent access that they maintained
continuously for four years.
They deployed memory-scraping malware to capture payment card data and ran
periodic database queries to exfiltrate guest records.
In September 2016, Marriott completed its $13.6 billion acquisition of
Starwood Hotels. The acquisition due diligence process did not identify
the active compromise of Starwood’s reservation system. After the
acquisition, Marriott began the process of migrating Starwood’s
reservation data into its own systems, but this migration occurred
without a comprehensive security audit of the Starwood infrastructure.
The attackers continued to operate within the Starwood systems for two
more years after the acquisition. The breach was finally detected on
September 8, 2018, when a security tool flagged an unauthorized query
against the Starwood guest reservation database. An internal investigation
revealed the full scope of the four-year compromise. Marriott publicly
disclosed the breach on November 30, 2018.
**Breach Two (January 2020):** In January 2020, Marriott discovered
that hackers had used the login credentials of two employees at a franchise
property to access the company’s guest loyalty application. Approximately
5.2 million guest records were accessed, including names, addresses, phone
numbers, loyalty account details, and personal preferences.
The breach was discovered when abnormal data access patterns were detected
through enhanced monitoring systems implemented after the 2018 disclosure.
**Breach Three (2020):** A third breach, also disclosed in 2020,
involved unauthorized access to an internal system through compromised
employee credentials. The scope was narrower than the previous incidents,
but its occurrence underscored the persistent vulnerability of Marriott’s
systems and the inadequacy of access controls even after two prior breaches
had prompted remediation efforts.
## Regulatory Analysis
**FTC Act Section 5 - 20-Year Consent Order:** In October 2024,
the FTC finalized a comprehensive consent order against Marriott and Starwood
under Section 5 of the FTC Act. The order found that Marriott’s data
security practices were unfair, citing:
- .Failure to conduct adequate due diligence on Starwood’s cybersecurity
posture before and during the acquisition
- .Failure to implement reasonable security measures across the combined entity
- .Misleading statements about the company’s data security practices
The 20-year order requires Marriott to implement a comprehensive information
security program with specific requirements including data minimization,
access controls, network monitoring, and incident response. Marriott must
retain personal information only as long as there is a legitimate business
need. The company must conduct annual security assessments and submit to
biennial third-party audits. Any future breaches affecting 500 or more
consumers must be reported to the FTC within 30 days.
**49-State Attorney General Settlement:** In October 2024, Marriott
agreed to a $52 million settlement with attorneys general from 49 states
and the District of Columbia. The settlement addressed violations of state
consumer protection statutes and data breach notification laws.
Marriott was required to implement specific security improvements including
multi-factor authentication for remote access, enhanced network segmentation,
regular penetration testing, and improved employee training. The settlement
also imposed data minimization requirements specific to the hotel industry,
including limits on the retention of payment card data and guest identity
documents.
**State Consumer Protection and Breach Notification:** The four-year
delay in detecting the primary breach meant that Marriott could not notify
affected consumers until November 2018, four years after their data was
first compromised. Several state attorneys general investigated whether
Marriott’s discovery timeline itself was unreasonable given the company’s
resources and the security standards expected of organizations handling
personal data at this scale.
**UK ICO GDPR Enforcement:** The UK Information Commissioner’s Office
issued a £18.4 million fine under the General Data Protection Regulation
for the breach’s impact on UK-based guests. The ICO found that Marriott
failed to implement appropriate technical and organizational measures to
protect the personal data processed through the Starwood reservation system.
The ICO specifically cited Marriott’s failure to conduct adequate
cybersecurity due diligence when acquiring Starwood as a contributing
factor. Originally, the ICO had announced its intention to fine Marriott
£99.2 million, but the penalty was reduced following representations
from Marriott and consideration of the economic impact of the COVID-19
pandemic.
## What Should Have Been Done
**Cybersecurity Due Diligence in M&A:** The Marriott-Starwood
breach is the canonical example of cybersecurity risk inherited through
corporate acquisition. When Marriott acquired Starwood for $13.6 billion,
it also acquired an active, undetected breach that would ultimately cost
hundreds of millions in penalties, settlements, and remediation.
Pre-acquisition cybersecurity due diligence must be as rigorous as financial
and legal due diligence. This includes comprehensive penetration testing,
security architecture review, incident history analysis, and deployment
of threat hunting resources to identify existing compromises.
**Post-Acquisition Security Integration:** Even if pre-acquisition
due diligence had not detected the breach, a comprehensive security
assessment of the acquired infrastructure should have been conducted
before integrating Starwood’s systems into Marriott’s environment.
The two-year window between the acquisition and breach discovery
represents a missed opportunity to detect the compromise.
**Passport Data Encryption:** Storing 5.25 million passport numbers
unencrypted in a reservation database is an indefensible practice. Passport
numbers are high-value identity credentials that should be encrypted at rest
with strong key management, retained only for the minimum period required
by legal or operational necessity, and accessible only to systems and
personnel with a demonstrated need.
**Network Segmentation and Monitoring:** The four-year dwell time
demonstrates catastrophic failures in both network segmentation and security
monitoring. The Starwood reservation system should have been isolated behind
strict network boundaries with all database access monitored and alerted.
Web shells and RATs generate network artifacts-periodic beaconing,
unusual outbound connections, unexpected process execution-that are
detectable with modern endpoint detection and response (EDR) and network
detection systems.
**Data Minimization in Hospitality:** Hotels collect enormous volumes
of personal data, much of which is retained indefinitely. The FTC consent
order’s data minimization requirements reflect a growing regulatory
expectation that organizations retain personal data only as long as
necessary. Hotels should implement automated data lifecycle policies
that purge guest personal information after checkout, retaining only the
minimum data required for legal, loyalty program, and financial
record-keeping purposes.
The Marriott/Starwood breach saga is the most expensive lesson in
cybersecurity due diligence in corporate history. Three breaches over
six years, 344 million exposed guest records, 5.25 million unencrypted
passport numbers, and a combined penalty exceeding $70 million across
U.S. and UK enforcement actions. For any organization considering an
acquisition, the Marriott case delivers an unambiguous message: you
inherit the target’s security failures along with its assets, and
the regulatory consequences will be yours to bear.