Penalty Amount
$52,000,000
Consumers Affected
131,500,000
A multistate coalition of 50 attorneys general, including New Jersey, reached a $52 million settlement with Marriott International, Inc. for two data breaches that exposed personal information of over 131 million consumers. The breaches resulted from inadequate cybersecurity practices at Starwood and Marriott networks. The settlement mandates comprehensive security improvements and monetary penalties.
Marriott must pay $52 million, implement a cybersecurity overhaul including appointing a Chief Information Security Officer, establishing board oversight, enhancing security controls, allowing consumers to request data deletion and loyalty account reviews, training employees, conducting risk assessments, improving vendor management, and submitting to regular third-party audits.
In-house legal teams should review all vendor and customer agreements, particularly those involving the processing or storage of personal data. Key clauses to examine include data security obligations, breach notification requirements and timelines, audit and inspection rights, third-party subcontractor management, data retention and disposal policies, and indemnification provisions related to security incidents. Given the settlement's focus on inadequate cybersecurity practices, contracts may need to be amended to include more specific technical security controls (e.g., encryption standards, multi-factor authentication), mandatory regular security audits by the company, stricter vendor management protocols, and clearer liability and remediation terms in the event of a breach.
Entity
Marriott International, Inc.
Also known as: Marriott
Industry
OtherOfficial Press Release
https://www.njoag.gov/attorney-general-platkin-multistate-coalition-announce-52-million-settlement-for-marriott-starwood-data-breaches/
2024 1009 Marriott Complaint as filed
https://www.nj.gov/oag/newsreleases24/2024-1009_Marriott-Complaint-as-filed.pdf
2024 1009 Marriott Final Consent Judgment as filed
https://www.nj.gov/oag/newsreleases24/2024-1009_Marriott-Final-Consent-Judgment-as-filed.pdf
New Jersey Attorney General Enforcement Page
https://www.njoag.gov/about/divisions-and-offices/division-of-consumer-affairs/
"Marriott International, Inc."
"$52 million"
"New Jersey Consumer Fraud Act"
"The States allege that Marriott violated data breach laws and consumer protection laws—including the New Jersey Consumer Fraud Act—by misrepresenting the ways in which it protected consumers’ personal information and failed to use adequate cybersecurity safeguards to protect that information."
$52.0M
A multistate coalition of 50 attorneys general led by New York AG Letitia James reached a $52 million settlement with Marriott International, Inc. over a 2014-2018 data breach of its Starwood subsidiary’s guest reservation database that exposed 131.5 million consumers’ personal information. The breach, which went undetected for four years, compromised contact details, dates of birth, passport numbers, payment card information, and loyalty program data. Marriott is required to overhaul its data security practices, implement new compliance measures, and allow customers to delete their stored data as part of the settlement.
$52.0M
A multistate settlement with Marriott International for a data breach affecting 131.5 million guest records. Marriott failed to secure the Starwood network from 2014 to 2018, exposing personal information. The settlement includes a $52 million payment and requires Marriott to implement enhanced cybersecurity measures and consumer protections.
$3.5M
Texas Attorney General Ken Paxton secured a $3.5 million settlement with Marriott International, Inc. following an investigation into a data breach of the company’s reservation database that exposed 131 million U.S. guest records. The breach included sensitive customer information such as contact details, dates of birth, unencrypted passport numbers, and unexpired payment card information. Marriott is required to implement enhanced data security measures, including zero-trust principles and regular security reporting to its CEO, as part of the settlement.
$100K
New Jersey Attorney General Jennifer Davenport and the Division of Consumer Affairs announced a Consent Order with King Distribution LLC and 17 related retail smoke shops, resolving allegations that the companies illegally sold flavored vapor products in violation of New Jersey’s consumer protection laws. The Consent Order imposes a $100,000 civil penalty, requires reimbursement of $22,279 in investigation costs, and prohibits the companies from selling or distributing flavored vapor products in New Jersey. The enforcement action is part of New Jersey’s ongoing efforts to protect youth from flavored vape products, which have been permanently banned in the state since January 2020.
The New Jersey Bureau of Securities issued a Cease and Desist Order on April 30, 2026, against Titan Macro Finance for operating an investment fraud scheme via WhatsApp and Instagram that defrauded at least one New Jersey investor of $64,000. The scheme involved unregistered broker-dealer activity, fake trading profits, and undisclosed fees to access investor funds. The action was coordinated with the California Department of Financial Protection and Innovation, which issued a similar order against the entity for violating California’s Commodity Code.
New Jersey Attorney General Jennifer Davenport and the Bureau of Securities issued a public warning to state residents about fraudulent investment schemes proliferating on Meta-owned platforms including Facebook, Instagram, and WhatsApp. The alert details common scam tactics such as pump-and-dump schemes, confidence scams, and fraudulent cryptocurrency offerings, and provides tips for residents to avoid victimization. No enforcement action against any entity was announced in this release.