Corporate Misconduct Accountability Project
Marriott International, Inc. · FTC Enforcement Order
Marriott Data Breaches Exposed 300+ Million Guests to Identity Theft
Federal regulators found Marriott and Starwood failed to protect customer data for years, leaving hundreds of millions of travelers vulnerable to hackers who stole passport numbers, payment cards, and personal information.
CRITICAL SEVERITY
TL;DR
Between 2014 and 2020, Marriott and its subsidiary Starwood suffered three major data breaches that compromised personal information of hundreds of millions of hotel guests worldwide. The Federal Trade Commission found the companies used weak passwords, failed to patch known security vulnerabilities, and left customer data unencrypted for years. Hackers accessed names, addresses, passport numbers, payment card details, and loyalty program information. The FTC’s final order requires Marriott to overhaul its security practices and submit to independent audits for 20 years.
This case reveals how corporate cost-cutting on cybersecurity can leave everyday travelers exposed to identity theft and fraud for years.
339M
Guest records compromised in second breach alone
5.25M
Unencrypted passport numbers stolen
5.2M
Guest records accessed in third breach
20 years
Duration of mandatory FTC oversight
14 months
Time attackers roamed Starwood network undetected
The Allegations: A Breakdown
Core Allegations
What they did · 8 points
| 01 | Marriott allowed hackers to access Starwood’s network for 14 months starting in June 2014, compromising guest data because the company failed to maintain basic security measures like strong passwords and network segmentation. | high |
| 02 | After acquiring Starwood in 2016, Marriott failed to discover or stop an ongoing breach that had started in July 2014, allowing intruders to roam the network for over four years until September 2018, stealing unencrypted passport numbers and payment card details from 339 million guest records. | high |
| 03 | In March 2020, hackers compromised Marriott’s own branded systems using stolen credentials, accessing 5.2 million guest records with personal details and loyalty program information, proving the security failures extended beyond the Starwood acquisition. | high |
| 04 | The companies permitted blank or default passwords across their systems, failed to install security patches for known vulnerabilities in a timely manner, and did not properly segment their networks to prevent attackers from moving freely between systems. | high |
| 05 | Marriott misrepresented its security practices to consumers by claiming it used reasonable organizational, technical and administrative measures to protect personal information, while Starwood falsely promised it used firewalls and up to 256-bit encryption. | high |
| 06 | The companies failed to implement multi-factor authentication for remote access to systems containing sensitive customer data, leaving administrative credentials vulnerable to compromise. | medium |
| 07 | Marriott did not establish adequate logging and monitoring systems to detect anomalous activity within 24 hours, allowing attackers to install malware and capture data without triggering alarms. | high |
| 08 | The company failed to inventory and classify IT assets containing personal information, and did not encrypt, tokenize, or otherwise protect sensitive data on many systems. | high |
Regulatory Failures
How oversight fell short · 6 points
| 01 | The Federal Trade Commission only initiated its investigation after public disclosure of the breaches, meaning hundreds of millions of consumers remained at risk for years while regulators had no visibility into the ongoing security failures. | high |
| 02 | Despite the first Starwood breach beginning in 2014, no regulatory action was taken until after Marriott publicly announced the breach in 2018, illustrating a reactive rather than preventive regulatory approach. | medium |
| 03 | The FTC’s consent order came only after three separate breaches had already compromised guest data, highlighting the lack of proactive enforcement mechanisms to catch security failures before massive harm occurs. | high |
| 04 | The final order allows Marriott 180 days to establish required security programs, giving the company extensive time to implement protections that should have been in place years earlier. | medium |
| 05 | While the order imposes requirements for third-party assessments, the FTC must approve each assessor, and the company retains significant control over the assessment process, potentially limiting independence. | medium |
| 06 | The order explicitly excludes Marriott franchised hotels and international subsidiaries from many requirements, leaving significant portions of the company’s global operations outside the enforcement action. | medium |
Profit Over People
Corporate priorities that enabled the breaches · 6 points
| 01 | Marriott rushed to complete its $12 billion acquisition of Starwood without conducting adequate security due diligence, prioritizing deal speed and market expansion over protecting millions of customers’ personal information. | high |
| 02 | The companies failed to allocate sufficient resources to basic cybersecurity measures like timely software patching and strong password policies, treating data security as a cost center rather than a fundamental obligation to customers. | high |
| 03 | Rather than immediately disclosing security vulnerabilities discovered during the Starwood acquisition, Marriott allowed compromised systems to remain operational for years, suggesting a calculation that business continuity outweighed customer protection. | high |
| 04 | The companies maintained public-facing privacy policies promising robust security measures while simultaneously failing to implement industry-standard protections, using these false assurances to maintain customer trust and revenue. | high |
| 05 | Marriott did not require franchised hotels to meet the same security standards imposed by the consent order, allowing the company to minimize compliance costs by shifting responsibility to independent operators. | medium |
| 06 | The consent order reveals Marriott treated cybersecurity as an afterthought during corporate integration, focusing on revenue synergies from the Starwood merger while neglecting the fundamental infrastructure needed to protect customer data. | high |
Economic Fallout
Who paid the price · 6 points
| 01 | Hundreds of millions of consumers worldwide now face ongoing risks of identity theft, fraudulent charges, and compromised financial accounts because their stolen data can circulate on criminal markets for years. | high |
| 02 | Affected customers must spend time and money freezing credit, changing passwords, monitoring loyalty program balances, and resolving fraudulent activity, costs that fall entirely on victims rather than the company responsible. | high |
| 03 | Consumers with fewer financial resources face disproportionate harm because they cannot afford identity theft monitoring services, legal assistance, or the financial buffer needed to weather fraudulent charges. | high |
| 04 | Local police departments and consumer advocacy groups face increased workloads helping victims navigate identity theft claims, shifting the cost of corporate negligence onto public institutions and community organizations. | medium |
| 05 | The breaches impacted guests from over 131 countries and territories, spreading economic harm globally while the company faced consequences primarily in U.S. regulatory proceedings. | medium |
| 06 | Small businesses dependent on Marriott for tourism revenue may suffer reduced bookings and economic instability as the brand’s reputation suffers, while the corporation itself maintains substantial market power. | medium |
Public Health and Safety
The human cost of stolen data · 6 points
| 01 | The theft of detailed travel itineraries, passport numbers, and personal addresses creates ongoing safety risks for victims, potentially exposing them to stalking, harassment, or targeted exploitation by criminals. | high |
| 02 | Identity theft victims face documented mental health impacts including stress, anxiety, and emotional distress that can persist for years as they deal with the cascading consequences of compromised personal information. | high |
| 03 | The breach of over 5.25 million unencrypted passport numbers creates national security risks, as these documents can be used to facilitate illegal border crossings, fraud schemes, or other criminal activities. | high |
| 04 | Victims must constantly monitor their financial accounts and personal information for signs of misuse, creating a perpetual state of vigilance and fear that undermines their sense of security and wellbeing. | medium |
| 05 | The stolen data includes information about where people travel and when, creating risks for vulnerable populations such as domestic violence survivors, witnesses in criminal cases, or individuals fleeing dangerous situations. | high |
| 06 | Elderly travelers and those less familiar with technology face particular difficulty protecting themselves after the breach, as they may struggle to implement recommended safeguards or recognize warning signs of identity theft. | medium |
Worker Exploitation
How security failures hurt employees · 6 points
| 01 | Hotel employees must handle frustrated guests concerned about data privacy and identity theft without adequate training or information, forcing frontline workers to bear the emotional burden of the company’s failures. | medium |
| 02 | The consent order requires role-appropriate training for employees with access to personal information, revealing that workers were previously expected to handle sensitive data without proper security education. | medium |
| 03 | Marriott’s cost-cutting on cybersecurity likely extended to inadequate staffing and resources for IT security teams, forcing employees to manage massive systems without the tools or support needed to protect customer data. | medium |
| 04 | Employees who raised concerns about security vulnerabilities may have been ignored or overruled by management prioritizing deal speed and cost reduction over data protection. | medium |
| 05 | Franchised hotel employees must now meet security training requirements without clear indication that Marriott will provide resources or compensation for this additional burden. | low |
| 06 | Workers face potential job insecurity as the company deals with legal costs, settlements, and reputation damage, even though security failures stemmed from executive decisions rather than employee actions. | medium |
Community Impact
Ripple effects beyond individual victims · 6 points
| 01 | Communities dependent on tourism revenue face economic uncertainty as travelers lose confidence in hotel data security, potentially reducing bookings and harming local businesses that rely on hotel guests. | medium |
| 02 | Small vendors, tour operators, taxi services, and restaurants that depend on Marriott hotel guests for revenue may experience reduced business as the brand’s reputation suffers from repeated security scandals. | medium |
| 03 | Local institutions including libraries, schools, and community centers may see increased demand for help with identity theft issues as residents struggle to navigate the aftermath of the breaches. | low |
| 04 | The breach of loyalty program information undermines trust in rewards systems that many budget-conscious travelers depend on for affordable accommodations, disproportionately affecting those with fewer travel resources. | medium |
| 05 | Communities near Marriott properties may face reputational harm by association if the area becomes known for hosting hotels with poor security practices, affecting broader tourism and economic development. | low |
| 06 | Public resources must be diverted to help breach victims, as social service agencies, legal aid organizations, and law enforcement respond to identity theft cases that should have been prevented by corporate responsibility. | medium |
Corporate Accountability Failures
Why consequences fell short · 8 points
| 01 | The consent order imposes security requirements but does not directly compensate individual victims for identity theft, financial fraud, or emotional distress caused by years of exposed personal data. | high |
| 02 | Marriott’s executives and board members face no personal consequences for the security failures, allowing decision-makers who prioritized deal speed over data protection to avoid accountability. | high |
| 03 | The order allows Marriott to retain personal information for undefined legitimate business needs except marketing, creating loopholes that permit the company to continue collecting and storing vast amounts of customer data. | medium |
| 04 | By excluding franchised hotels and international subsidiaries from many requirements, the order leaves significant portions of Marriott’s global operations free to continue inadequate security practices. | high |
| 05 | The 180-day implementation timeline for required security programs means customers remain at risk for months while the company slowly addresses vulnerabilities that should have been fixed years ago. | medium |
| 06 | The consent order requires only biennial third-party assessments after the initial review, allowing two-year gaps during which security practices could deteriorate without independent oversight. | medium |
| 07 | Marriott can claim attorney-client privilege and other protections to withhold documents from the FTC assessor, potentially limiting the independence and thoroughness of required security audits. | medium |
| 08 | The order terminates after 20 years unless violations are alleged in federal court, meaning the company could eventually escape oversight even if it has a history of repeated security failures. | low |
The PR Machine
How the company spun the story · 6 points
| 01 | Marriott published privacy policies promising reasonable organizational, technical and administrative measures to protect customer information, using these false assurances to maintain consumer trust while failing to implement basic security. | high |
| 02 | Starwood advertised that it used firewalls and up to 256-bit encryption to secure customer data, making specific technical claims that masked the reality of blank passwords, unpatched vulnerabilities, and inadequate network segmentation. | high |
| 03 | The companies emphasized certain security protocols like encryption for data in transit while concealing systematic failures in access controls, monitoring, and vulnerability management that left customer information exposed for years. | high |
| 04 | Marriott likely framed the breaches as unavoidable cyber attacks rather than the predictable result of cost-cutting decisions and inadequate investment in basic security infrastructure. | medium |
| 05 | The consent order reveals a pattern of making widely disseminated representations about security practices that did not match the actual state of the companies’ data protection systems. | high |
| 06 | By emphasizing its cooperation with regulators in public statements, Marriott likely sought to portray itself as a responsible actor, deflecting attention from years of negligence that preceded regulatory intervention. | medium |
Wealth Disparity
Who bears the burden · 6 points
| 01 | Wealthy executives and shareholders who benefited from the Starwood acquisition face no requirement to return profits gained while customer data remained unprotected, while everyday travelers bear the costs of identity theft and fraud. | high |
| 02 | Low-income consumers cannot afford robust identity theft monitoring or legal representation, leaving them disproportionately vulnerable to the long-term financial consequences of the breaches. | high |
| 03 | The consent order requires Marriott to implement security improvements but does not claw back executive compensation or bonuses paid during years when the company knowingly operated compromised systems. | high |
| 04 | Marriott’s ability to absorb legal fees, settlement costs, and security upgrades without significant financial distress illustrates how large corporations can treat consumer harm as a manageable cost of doing business. | medium |
| 05 | Victims from developing countries face particular difficulty recovering from identity theft, as they may lack access to credit monitoring services, consumer protection agencies, or legal systems that can help them seek redress. | high |
| 06 | The billions saved by underinvesting in cybersecurity likely flowed to shareholders and executives as dividends and bonuses, privatizing gains while socializing the risks and costs of data breaches onto vulnerable consumers. | high |
Exploiting Delay
How time worked in the company’s favor · 6 points
| 01 | Attackers accessed Starwood’s network for 14 months before Marriott even announced its acquisition plan, and the breach continued undetected for over two more years after the merger closed, illustrating how delayed discovery protected the company from accountability. | high |
| 02 | The second major breach began in July 2014 but was not discovered until September 2018, meaning hackers had over four years of uninterrupted access while Marriott completed its acquisition and integration without addressing the compromise. | high |
| 03 | By the time Marriott publicly disclosed the Starwood breach in 2018, the stolen data had likely been sold and resold on criminal markets for years, making it impossible to contain the damage or protect affected consumers. | high |
| 04 | The consent order allows 180 days for Marriott to establish required security programs, giving the company six more months to implement protections while customers remain vulnerable to additional breaches. | medium |
| 05 | Marriott conducted its acquisition due diligence while Starwood’s systems were actively compromised, but the company did not discover or disclose the breach until years later, suggesting investigations were inadequate or findings were suppressed. | high |
| 06 | The consent order’s 20-year term may seem lengthy, but it allows biennial rather than annual assessments for most of that period, creating two-year windows during which security practices could deteriorate without oversight. | medium |
The Bottom Line
What this case reveals · 7 points
| 01 | The Marriott data breaches prove that major corporations will sacrifice customer security for deal speed and cost savings, knowing that regulators can only respond after harm has occurred. | high |
| 02 | This case demonstrates that privacy policies and security promises mean nothing without enforcement, as companies can make false representations for years while regulatory oversight remains reactive rather than preventive. | high |
| 03 | The consent order’s exclusion of franchised hotels and international operations shows how corporate structure can be weaponized to limit accountability, leaving vast portions of a global company outside enforcement actions. | high |
| 04 | Marriott’s repeated breaches illustrate how inadequate penalties and delayed enforcement allow large corporations to treat consumer protection as optional, calculating that the costs of compliance exceed the risks of violations. | high |
| 05 | The case reveals fundamental imbalances in how data breach consequences are distributed, with everyday consumers bearing identity theft risks and financial burdens while executives and shareholders face no personal accountability. | high |
| 06 | Without substantially stronger data protection laws, mandatory real-time breach disclosure, and penalties severe enough to change corporate behavior, consumers will continue to serve as unwitting test subjects for inadequate security practices. | high |
| 07 | This enforcement action came only after three separate breaches exposed hundreds of millions of people, proving that current regulatory frameworks cannot protect the public from corporate negligence before catastrophic harm occurs. | high |
Timeline of Events
June 2014
First breach begins as attackers gain remote access to Starwood’s network, exploiting outdated security systems and weak passwords
July 2014
Second breach begins in Starwood systems, with intruders installing malware to capture unencrypted consumer information
November 2015
Marriott announces plan to acquire Starwood while attackers continue accessing compromised systems undetected
September 2016
Marriott closes acquisition of Starwood, taking control of compromised systems without discovering ongoing breach
September 2018
Marriott discovers second breach nearly two years after acquisition, revealing attackers had accessed 339 million guest records
March 2020
Marriott announces third breach affecting its own branded systems, with hackers accessing 5.2 million guest records using stolen credentials
2019-2024
Federal Trade Commission investigates security failures and prepares enforcement action
December 2024
FTC issues final consent order requiring comprehensive security overhaul and 20 years of independent oversight
Direct Quotes from the Legal Record
QUOTE 1
Marriott failed to discover ongoing breach for years
allegations
“This breach started around July 2014 but persisted undetected even after Marriott took over. It was discovered only in September 2018—nearly two years after the legal close of the acquisition.”
💡 This shows Marriott completed a multi-billion dollar acquisition without properly investigating the security of the systems it was buying.
QUOTE 2
Attackers roamed freely for 14 months
allegations
“Attackers gained remote access to Starwood’s network for 14 months, mostly due to outdated security systems, weak passwords, and insufficient network segmentation.”
💡 Basic security failures allowed hackers to maintain access for over a year without detection.
QUOTE 3
Massive scale of second breach
allegations
“Intruders were able to roam widely across Starwood’s system, installing malware and capturing sensitive, unencrypted consumer information such as passport numbers and payment card details.”
💡 The company left highly sensitive personal information completely unprotected, violating fundamental data security principles.
QUOTE 4
Third breach proved pattern of negligence
allegations
“This was not just a ‘Starwood’ problem—hackers compromised credentials to access Marriott’s own network. Over 5.2 million guest records were accessed, including personal details and loyalty program balances.”
💡 The third breach demonstrated that security failures extended throughout Marriott’s operations, not just acquired systems.
QUOTE 5
Companies permitted blank passwords
allegations
“Marriott and Starwood systems allegedly permitted or failed to prevent blank or default passwords.”
💡 Allowing blank passwords is one of the most basic security failures imaginable, showing extreme negligence.
QUOTE 6
Failed to patch known vulnerabilities
allegations
“Hackers exploited known vulnerabilities in outdated systems.”
💡 The companies knew about security vulnerabilities but failed to fix them, prioritizing cost savings over customer protection.
QUOTE 7
Lack of network segmentation enabled widespread access
allegations
“Attackers could move effortlessly between different segments of Starwood’s internal network, well after Marriott took control.”
💡 Proper network segmentation would have limited breach damage, but Marriott failed to implement this basic protection.
QUOTE 8
Missing multi-factor authentication
allegations
“Especially critical for remote access or administrative credentials, this was missing or inadequately deployed.”
💡 Multi-factor authentication is standard practice for protecting sensitive systems, yet Marriott failed to require it.
QUOTE 9
False security promises to consumers
pr_machine
“Marriott’s own consumer-facing privacy policies promised ‘reasonable organizational, technical and administrative measures,’ while Starwood asserted it used ‘firewalls’ and ‘up to 256-bit encryption.'”
💡 The companies made specific security promises to consumers that they knew or should have known were false.
QUOTE 10
Misrepresentation of data protection
pr_machine
“The Complaint asserts that Marriott misrepresented its level of security to consumers, thus deceiving them into believing their personal data—names, passport numbers, addresses, loyalty account details—was safeguarded when it was, in fact, vulnerable.”
💡 This was not just negligence but active deception of consumers about the safety of their personal information.
QUOTE 11
Scope of compromised passport data
allegations
“339 million records worldwide during the second breach alone, including over 5.25 million unencrypted passport numbers.”
💡 Passport numbers are particularly dangerous when stolen because they can enable identity fraud and illegal border crossings.
QUOTE 12
Required security program establishment timeline
accountability
“Respondents must, within 180 days of the effective date of this Order, establish, implement and maintain a comprehensive information security program.”
💡 Customers remain at risk for six more months while the company slowly implements protections that should have existed years ago.
QUOTE 13
Ongoing risk assessment failures
regulatory
“Assess and document, at least annually and promptly (not to exceed 120 days) following a Covered Incident, internal and external risks to the security, confidentiality, or integrity of Personal Information.”
💡 The order reveals Marriott was not conducting regular risk assessments, a fundamental security practice.
QUOTE 14
Training failures exposed employees and customers
workers
“Respondents shall have policies and procedures that require Marriott Franchised Hotels to provide role-appropriate training for their employees who have access to Personal Information on any Marriott IT asset, at least annually.”
💡 Employees were expected to handle sensitive data without proper security training, putting both workers and customers at risk.
QUOTE 15
Duration of regulatory oversight
accountability
“This Order will terminate 20 years from the date of its issuance.”
💡 The 20-year oversight period reflects the severity of the violations and the FTC’s lack of confidence in Marriott’s commitment to security.
Frequently Asked Questions
How did hackers access Marriott and Starwood systems for so long?
The companies used weak or default passwords, failed to install security patches for known vulnerabilities, did not properly segment their networks, and lacked multi-factor authentication. These basic failures allowed attackers to enter systems easily and move around freely for months or years without detection.
What personal information was stolen in the breaches?
Hackers accessed names, addresses, email addresses, passport numbers, payment card details, dates of birth, loyalty program account numbers and balances, and detailed travel itineraries. The second breach alone compromised 339 million guest records, including over 5.25 million unencrypted passport numbers.
Why did it take so long for Marriott to discover the breaches?
Marriott failed to implement adequate logging and monitoring systems to detect suspicious activity. The company also did not conduct thorough security assessments of Starwood’s systems when it acquired the company in 2016, allowing an ongoing breach that began in 2014 to continue undetected until 2018.
Did Marriott know about security problems before the breaches were disclosed?
The FTC found that Marriott’s public privacy policies promised reasonable security measures, suggesting the company was aware of its obligations. However, the systematic nature of the failures indicates the company knowingly operated inadequate security systems, prioritizing cost savings over customer protection.
What consequences did Marriott executives face?
The consent order does not impose personal consequences on executives or board members. The requirements apply to the company itself, not the individuals who made decisions that led to the breaches.
Will affected customers receive compensation?
The FTC consent order does not require Marriott to directly compensate victims. Affected individuals may need to pursue separate legal action or participate in any class action settlements to receive compensation for identity theft, fraud, or other damages.
What security improvements must Marriott implement?
The consent order requires comprehensive changes including multi-factor authentication, strong password requirements, timely security patching, network segmentation, regular vulnerability scanning, employee training, incident response plans, and independent security assessments every two years for 20 years.
Do the new security requirements apply to all Marriott hotels?
No. The order explicitly excludes Marriott franchised hotels and international subsidiaries from many requirements. Franchised hotels must meet some standards by contract, but enforcement is left to Marriott rather than regulators.
What can I do if I was affected by these breaches?
Monitor your financial accounts and credit reports for suspicious activity. Consider placing fraud alerts or credit freezes with credit bureaus. Change passwords for your Marriott loyalty account and any other accounts using the same credentials. Watch for phishing attempts using stolen personal information. Keep records of any fraudulent activity to support potential legal claims.
How can consumers pressure companies to improve data security?
Support stronger data protection legislation at state and federal levels. File complaints with the FTC when companies fail to protect your information. Participate in class action lawsuits when appropriate. Choose businesses with transparent, verified security practices. Demand that elected representatives prioritize consumer data protection over corporate interests.
The FTC did a press release about this story in December 2024: https://www.ftc.gov/news-events/news/press-releases/2024/12/ftc-finalizes-order-marriott-starwood-requiring-them-implement-robust-data-security-program-address
💡 Explore Corporate Misconduct by Category
Corporations harm people every day — from wage theft to pollution. Learn more by exploring key areas of injustice.
- 💀 Product Safety Violations — When companies risk lives for profit.
- 🌿 Environmental Violations — Pollution, ecological collapse, and unchecked greed.
- 💼 Labor Exploitation — Wage theft, worker abuse, and unsafe conditions.
- 🛡️ Data Breaches & Privacy Abuses — Misuse and mishandling of personal information.
- 💵 Financial Fraud & Corruption — Lies, scams, and executive impunity.
