Penalty Amount
$52,000,000
Consumers Affected
131,500,000
A multistate coalition of 50 attorneys general led by New York AG Letitia James reached a $52 million settlement with Marriott International, Inc. over a 2014-2018 data breach of its Starwood subsidiary’s guest reservation database that exposed 131.5 million consumers’ personal information. The breach, which went undetected for four years, compromised contact details, dates of birth, passport numbers, payment card information, and loyalty program data. Marriott is required to overhaul its data security practices, implement new compliance measures, and allow customers to delete their stored data as part of the settlement.
Marriott must pay $52 million in total penalties ($2.29 million to New York) and implement sweeping data security reforms over 20 years. Requirements include biennial independent third-party security assessments, a comprehensive Information Security Program with CEO-level reporting and employee training, data minimization and disposal protocols, enhanced vendor and franchisee oversight with risk assessments for critical IT vendors, and post-acquisition security integration plans. Marriott must also allow customers to delete their stored data, offer multi-factor authentication for loyalty accounts, and monitor those accounts for suspicious activity.
In-house legal teams should review all vendor agreements, especially those with cloud providers and IT vendors, to ensure they include mandatory risk assessments, clear security obligations, and compliance with the company’s data security policies. Contracts with franchisees should also be updated to require adherence to information security programs and regular security reporting. Acquisition agreements need to include provisions requiring prompt security assessments of target companies and integration plans to address deficiencies. Additionally, customer-facing agreements should be updated to include clear data deletion rights and multi-factor authentication options for loyalty accounts. Data retention clauses should be revised to minimize unnecessary data collection and require timely disposal of outdated customer information.
Entity
Marriott International, Inc.
Also known as: Marriott
Industry
OtherOfficial Press Release
https://ag.ny.gov/press-release/2024/attorney-general-james-announces-52-million-multistate-settlement-marriott-over
a5jcI00c1Is8 eBEA7C1h5hooDfBdYkanaI5z6Txodg=373 ;JSUlJSUlJQ!
https://urldefense.com/v3/__https:/links-1.govdelivery.com/CL0/https:*2F*2Fag.ny.gov*2Fsites*2Fdefault*2Ffiles*2Fsettlements-agreements*2Fmarriott-judgment-ny-marriott-final-signed.pdf/1/010001927200ae67-78cdb342-98f7-4eab-8825-07e44f9604f2-000000/a5jcI00c1Is8-eBEA7C1h5hooDfBdYkanaI5z6Txodg=373__;JSUlJSUlJQ!!Ke5ujdWW74OM!71-W80JIMcF5JQ-wD1E-dUpr2xfzwnnmIk0n3Jdl8GckisrzaFS443yXLS8_1kIe0ooAZVN4q8E-bRnYzxWwXss2qt-CoqK18Y6n2KKAcWsX$
New York Attorney General Enforcement Page
https://ag.ny.gov/press-releases
"Marriott International, Inc. (Marriott)"
"pay $52 million in penalties"
"intruders in its system for four years without getting detected, leading to a data breach that affected 131.5 million customers nationwide"
"intruders accessed and stayed on Starwood’s databases undetected for years. This intrusion led to the breach of 131.5 million customers’ personal information."
"131.5 million customers nationwide"
"October 9, 2024"
$52.0M
A multistate coalition of 50 attorneys general, including New Jersey, reached a $52 million settlement with Marriott International, Inc. for two data breaches that exposed personal information of over 131 million consumers. The breaches resulted from inadequate cybersecurity practices at Starwood and Marriott networks. The settlement mandates comprehensive security improvements and monetary penalties.
$52.0M
A multistate settlement with Marriott International for a data breach affecting 131.5 million guest records. Marriott failed to secure the Starwood network from 2014 to 2018, exposing personal information. The settlement includes a $52 million payment and requires Marriott to implement enhanced cybersecurity measures and consumer protections.
$3.5M
Texas Attorney General Ken Paxton secured a $3.5 million settlement with Marriott International, Inc. following an investigation into a data breach of the company’s reservation database that exposed 131 million U.S. guest records. The breach included sensitive customer information such as contact details, dates of birth, unencrypted passport numbers, and unexpired payment card information. Marriott is required to implement enhanced data security measures, including zero-trust principles and regular security reporting to its CEO, as part of the settlement.
New York Attorney General Letitia James issued a consumer alert on May 18, 2026, warning residents of potential price gouging by transportation service providers during the Long Island Rail Road strike. The alert reminds businesses that New York’s price gouging laws prohibit unconscionable price increases on essential services like transportation during market disruptions. No specific privacy violations or enforcement actions against individual entities were announced in the alert.
New York Attorney General Letitia James issued a consumer alert on May 18, 2026, warning businesses against engaging in price gouging on transportation services during the Long Island Rail Road strike. The alert reminds businesses that New York’s price gouging laws prohibit unconscionable price increases on essential goods and services during market disruptions, with potential penalties of up to $25,000 per violation. No specific enforcement action against a particular entity was announced, only a general warning for businesses and a call for consumers to report suspected price gouging.
This press release announces New York Attorney General Letitia James leading a coalition of 21 state attorneys general, the District of Columbia, and Pennsylvania’s Governor in filing an amicus brief with the U.S. Supreme Court to stay a Fifth Circuit ruling that would reinstate in-person dispensing requirements for mifepristone, a medication used for abortion. The coalition argues the ruling is scientifically unsupported, would restrict telehealth access to reproductive care, and undermines state sovereignty over abortion policy post-Dobbs. This is not a privacy-related enforcement action, as the content addresses reproductive health policy rather than data privacy violations.