For roughly four years, hackers had free rein inside the Starwood guest reservation system, quietly siphoning passport numbers, payment card details, birth dates, and contact information belonging to millions of travelers. Marriott International, which inherited the compromised system when it acquired Starwood Hotels in September 2016, did not detect the intrusion until September 2018. By then, 131.5 million U.S. guest records had been exposed.
Now the company has agreed to pay $52 million to settle claims brought by attorneys general in all 50 states. But the payout carries a bitter footnote: every dollar goes to state governments. Not a cent is designated for the consumers whose data was stolen.
Inside the $52 million settlement
The multistate coalition, co-led by Connecticut Attorney General William Tong, finalized the agreement to resolve allegations that Marriott violated consumer protection and data breach notification laws nationwide. The settlement was announced by the Connecticut Attorney General’s office in October 2024, and its injunctive terms have been taking effect in the months since. According to that announcement, attackers first infiltrated the Starwood reservation system in 2014, two years before Marriott completed its acquisition. They maintained access until Marriott’s security team finally identified the intrusion in September 2018.
The scope of what was taken goes well beyond email addresses. The Ohio Attorney General’s office confirmed that unencrypted passport numbers and payment card data were among the compromised records. In a January 2019 update to its original breach disclosure, Marriott estimated that approximately 5.25 million unencrypted passport numbers had been exposed globally. That is the kind of data that enables identity theft, financial fraud, and forged travel documents.
Marriott did not admit wrongdoing as part of the settlement, a standard provision in multistate agreements of this kind.
The $52 million is divided among the states rather than set aside for direct consumer restitution. The New York Attorney General’s office said its share would fund state enforcement and consumer protection efforts. Other states, including Colorado, Massachusetts, and North Carolina, disclosed their own portions, though no single public document compiles all 50 allocations.
For perspective: Marriott reported approximately $6.4 billion in total revenue for fiscal year 2024, according to its annual filing. Against that figure, $52 million amounts to less than 1% of a single year’s revenue.
Why the security overhaul reads like a checklist Marriott should have completed years ago
The settlement’s injunctive terms require Marriott to overhaul how it handles guest data, but a close reading reveals that most of the mandated changes reflect baseline security hygiene that the hospitality industry has recognized as standard practice for over a decade. The company must strengthen its information security controls, implement stricter access management, and limit how long it retains personal information collected through reservations. States also required Marriott to give U.S. customers a process to request deletion of certain personal data, a provision that mirrors privacy rights emerging in state-level legislation across the country.
What stands out is not the ambition of these requirements but how unremarkable they are. Multi-factor authentication, network segmentation, regular vulnerability scanning, and data minimization policies are not cutting-edge concepts. They are the kinds of controls that security auditors flag as missing during routine assessments. The fact that a court order was needed to compel a Fortune 500 hospitality company to adopt them underscores how far behind Marriott’s Starwood infrastructure had fallen, and raises questions about whether the settlement’s compliance monitoring will be rigorous enough to verify real change rather than paper compliance.
These obligations run alongside a separate federal action. The Federal Trade Commission issued an order directing Marriott and its Starwood subsidiary to implement a comprehensive security program addressing the failures that left the Starwood system exposed for years. The FTC’s order covers breaches affecting more than 344 million customer records worldwide and includes one of the few provisions that directly benefits individuals: a mechanism to restore loyalty points for Marriott Bonvoy members who lost them because of the incident.
What consumers actually get
The short answer: very little from this particular settlement. The $52 million flows to state treasuries. The injunctive terms may improve Marriott’s security going forward, but they do not compensate anyone for the years their data sat in the hands of unauthorized intruders.
That gap has drawn pointed criticism. Consumer advocacy organizations, including the Electronic Privacy Information Center, have long argued that breach victims bear the ongoing burden of monitoring their credit, freezing accounts, and replacing compromised documents, all at their own expense and on their own time, while the companies responsible pay penalties that never reach the people harmed.
Affected guests do have other avenues. Multiple class-action lawsuits were filed after the breach was disclosed in November 2018, and several remain in various stages of litigation as of May 2026. The FTC’s loyalty-point restoration mechanism offers narrow relief for Bonvoy members. And consumers in states with comprehensive privacy laws, such as California’s Consumer Privacy Act, may have additional rights to request data deletion or obtain information about what Marriott collected on them.
But none of that changes the central dynamic of the state settlement: the company that failed to protect 131.5 million guest records is writing a check, and the people whose records were exposed are not on the receiving end.
How this compares to other breach penalties
The $52 million figure looks modest next to other major data breach settlements in recent years:
- Equifax (2019): Paid $700 million to resolve its breach of 147 million consumer records. Of that, $425 million went into a consumer restitution fund.
- T-Mobile (2022): Agreed to a $350 million class-action settlement after a breach affecting 76 million people. Approximately $200 million was designated for affected customers, with $150 million earmarked for data security upgrades.
- Capital One (2022): Paid $190 million to settle a class action over its 2019 breach of 100 million records, with funds directed to affected consumers.
In each of those cases, consumers received at least some direct compensation. The Marriott state settlement stands out because it routes the entire penalty to government, leaving individual relief to separate legal proceedings that may take years to resolve.
Internationally, the comparison is also instructive. The United Kingdom’s Information Commissioner’s Office fined Marriott £18.4 million in 2020 over the same Starwood breach, reduced from an initially proposed penalty of £99 million. That fine, too, went to the regulator rather than to affected travelers.
What remains unclear
Several important details are still absent from the public record as of June 2026. Neither state nor federal authorities have broken down how many of the 131.5 million exposed U.S. records contained passport numbers, how many included payment card data, and how many were limited to less sensitive details like email addresses. Regulators describe the compromised data in aggregate, which makes it difficult for any individual guest to assess their specific risk.
Marriott has not released a detailed accounting of what it spent to investigate the breach, rebuild the Starwood infrastructure, notify affected consumers, and comply with new security and data retention requirements. Without those figures, it is hard to gauge whether the $52 million penalty represents a meaningful financial consequence or a negligible line item on the company’s balance sheet.
Technical details are similarly sparse. State attorneys general described the breach as the product of inadequate security practices, but their public filings do not specify the vulnerabilities exploited, the methods the attackers used, or the full forensic timeline. That is typical of consumer protection settlements, which focus on legal violations rather than technical postmortems, but it leaves both security professionals and affected guests without a complete picture of what went wrong.
Where this leaves Marriott’s 131 million exposed guests
For the millions of travelers whose data was compromised, the practical reality is uncomfortable. The largest settlement tied to this breach sends money to state governments, not to them. The security improvements Marriott is now required to make should have been in place before 2014. And the class-action litigation that might eventually deliver individual compensation continues to move through the courts with no guaranteed outcome or timeline.
If you were a Starwood guest during the breach window of 2014 to 2018, the most concrete steps available right now are to monitor your credit reports through AnnualCreditReport.com, place a credit freeze if you have not already done so, and check whether your passport number was among those exposed by contacting Marriott’s dedicated breach response resources. The settlement may have closed the book for 50 attorneys general, but for the people whose data was stolen, the consequences are still unfolding.
