Between 2014 and 2020, Marriott International suffered three separate data breaches that collectively exposed the personal information of approximately 344 million hotel guests worldwide. The most significant breach originated in the Starwood Hotels reservation system in 2014-two years before Marriott acquired Starwood-and remained undetected for over four years, compromising 339 million guest records including 5.25 million unencrypted passport numbers.
Key Facts
- WhatThree breaches over six years, starting in acquired Starwood systems.
- Who344 million hotel guests worldwide.
- Data Exposed5.25M unencrypted passport numbers, payment cards, and personal details.
- OutcomeFTC 20-year order, $52M state settlement, and UK GDPR fine.
What Was Exposed
- Names, mailing addresses, phone numbers, and email addresses for up to 339 million guests in the primary breach
- Passport numbers for approximately 5.25 million guests, stored unencrypted in the Starwood reservation database
- Starwood Preferred Guest (SPG) account numbers and loyalty program details
- Dates of birth for a substantial subset of affected guests
- Arrival and departure dates, reservation details, and communication preferences
- Payment card numbers and expiration dates for approximately 8.6 million cards, encrypted with AES-128 but with evidence that decryption keys may have been compromised
- Additional records from a 2020 breach affecting 5.2 million guests via compromised employee credentials
The exposure of 5.25 million unencrypted passport numbers was an unprecedented element of this breach. Passport numbers, combined with names and dates of birth, can be used for identity fraud at international borders, fraudulent visa applications, and sophisticated impersonation.
For guests who traveled internationally through Marriott/Starwood properties, the combination of passport data with travel dates and hotel locations created a detailed intelligence profile of their international movements.
Three Breaches, One Pattern of Failure
Breach One (2014-2018): The primary breach began in July 2014, when attackers gained access to the Starwood Hotels reservation system. The Starwood system used a legacy architecture with limited segmentation and monitoring capabilities. Attackers installed a remote access trojan (RAT) and a web shell, establishing persistent access that they maintained continuously for four years.
They deployed memory-scraping malware to capture payment card data and ran periodic database queries to exfiltrate guest records.
In September 2016, Marriott completed its $13.6 billion acquisition of Starwood Hotels. The acquisition due diligence process did not identify the active compromise of Starwood’s reservation system. After the acquisition, Marriott began the process of migrating Starwood’s reservation data into its own systems, but this migration occurred without a comprehensive security audit of the Starwood infrastructure.
The attackers continued to operate within the Starwood systems for two more years after the acquisition. The breach was finally detected on September 8, 2018, when a security tool flagged an unauthorized query against the Starwood guest reservation database. An internal investigation revealed the full scope of the four-year compromise. Marriott publicly disclosed the breach on November 30, 2018.
Breach Two (January 2020): In January 2020, Marriott discovered that hackers had used the login credentials of two employees at a franchise property to access the company’s guest loyalty application. Approximately 5.2 million guest records were accessed, including names, addresses, phone numbers, loyalty account details, and personal preferences.
The breach was discovered when abnormal data access patterns were detected through enhanced monitoring systems implemented after the 2018 disclosure.
Breach Three (2020): A third breach, also disclosed in 2020, involved unauthorized access to an internal system through compromised employee credentials. The scope was narrower than the previous incidents, but its occurrence underscored the persistent vulnerability of Marriott’s systems and the inadequacy of access controls even after two prior breaches had prompted remediation efforts.
Regulatory Analysis
FTC Act Section 5 - 20-Year Consent Order: In October 2024, the FTC finalized a comprehensive consent order against Marriott and Starwood under Section 5 of the FTC Act. The order found that Marriott’s data security practices were unfair, citing:
- Failure to conduct adequate due diligence on Starwood’s cybersecurity posture before and during the acquisition
- Failure to implement reasonable security measures across the combined entity
- Misleading statements about the company’s data security practices
The 20-year order requires Marriott to implement a comprehensive information security program with specific requirements including data minimization, access controls, network monitoring, and incident response. Marriott must retain personal information only as long as there is a legitimate business need. The company must conduct annual security assessments and submit to biennial third-party audits. Any future breaches affecting 500 or more consumers must be reported to the FTC within 30 days.
49-State Attorney General Settlement: In October 2024, Marriott agreed to a $52 million settlement with attorneys general from 49 states and the District of Columbia. The settlement addressed violations of state consumer protection statutes and data breach notification laws.
Marriott was required to implement specific security improvements including multi-factor authentication for remote access, enhanced network segmentation, regular penetration testing, and improved employee training. The settlement also imposed data minimization requirements specific to the hotel industry, including limits on the retention of payment card data and guest identity documents.
State Consumer Protection and Breach Notification: The four-year delay in detecting the primary breach meant that Marriott could not notify affected consumers until November 2018, four years after their data was first compromised. Several state attorneys general investigated whether Marriott’s discovery timeline itself was unreasonable given the company’s resources and the security standards expected of organizations handling personal data at this scale.
UK ICO GDPR Enforcement: The UK Information Commissioner’s Office issued a £18.4 million fine under the General Data Protection Regulation for the breach’s impact on UK-based guests. The ICO found that Marriott failed to implement appropriate technical and organizational measures to protect the personal data processed through the Starwood reservation system.
The ICO specifically cited Marriott’s failure to conduct adequate cybersecurity due diligence when acquiring Starwood as a contributing factor. Originally, the ICO had announced its intention to fine Marriott £99.2 million, but the penalty was reduced following representations from Marriott and consideration of the economic impact of the COVID-19 pandemic.
What Should Have Been Done
Cybersecurity Due Diligence in M&A: The Marriott-Starwood breach is the canonical example of cybersecurity risk inherited through corporate acquisition. When Marriott acquired Starwood for $13.6 billion, it also acquired an active, undetected breach that would ultimately cost hundreds of millions in penalties, settlements, and remediation.
Pre-acquisition cybersecurity due diligence must be as rigorous as financial and legal due diligence. This includes comprehensive penetration testing, security architecture review, incident history analysis, and deployment of threat hunting resources to identify existing compromises.
Post-Acquisition Security Integration: Even if pre-acquisition due diligence had not detected the breach, a comprehensive security assessment of the acquired infrastructure should have been conducted before integrating Starwood’s systems into Marriott’s environment.
The two-year window between the acquisition and breach discovery represents a missed opportunity to detect the compromise.
Passport Data Encryption: Storing 5.25 million passport numbers unencrypted in a reservation database is an indefensible practice. Passport numbers are high-value identity credentials that should be encrypted at rest with strong key management, retained only for the minimum period required by legal or operational necessity, and accessible only to systems and personnel with a demonstrated need.
Network Segmentation and Monitoring: The four-year dwell time demonstrates catastrophic failures in both network segmentation and security monitoring. The Starwood reservation system should have been isolated behind strict network boundaries with all database access monitored and alerted.
Web shells and RATs generate network artifacts-periodic beaconing, unusual outbound connections, unexpected process execution-that are detectable with modern endpoint detection and response (EDR) and network detection systems.
Data Minimization in Hospitality: Hotels collect enormous volumes of personal data, much of which is retained indefinitely. The FTC consent order’s data minimization requirements reflect a growing regulatory expectation that organizations retain personal data only as long as necessary. Hotels should implement automated data lifecycle policies that purge guest personal information after checkout, retaining only the minimum data required for legal, loyalty program, and financial record-keeping purposes.
The Marriott/Starwood breach saga is the most expensive lesson in cybersecurity due diligence in corporate history. Three breaches over six years, 344 million exposed guest records, 5.25 million unencrypted passport numbers, and a combined penalty exceeding $70 million across U.S. and UK enforcement actions. For any organization considering an acquisition, the Marriott case delivers an unambiguous message: you inherit the target’s security failures along with its assets, and the regulatory consequences will be yours to bear.