Penalty Amount
$3,500,000
Consumers Affected
131,000,000
Texas Attorney General Ken Paxton secured a $3.5 million settlement with Marriott International, Inc. following an investigation into a data breach of the company’s reservation database that exposed 131 million U.S. guest records. The breach included sensitive customer information such as contact details, dates of birth, unencrypted passport numbers, and unexpired payment card information. Marriott is required to implement enhanced data security measures, including zero-trust principles and regular security reporting to its CEO, as part of the settlement.
Marriott must pay $52 million total to 50 participating states, including $3.5 million to Texas. The company is subject to an Agreed Final Judgment requiring implementation of a comprehensive data security program incorporating zero-trust principles, regular security reports to its CEO, and enhanced employee data handling training.
In-house legal teams should review vendor agreements with hospitality and service providers to ensure robust data security clauses mandating zero-trust principles, regular security reporting to executive leadership, and employee training on data handling. Contracts should include clear breach notification requirements, obligations to safeguard sensitive personal information (including passport numbers and payment card data), and audit rights to verify compliance with security mandates. Teams should also update data processing agreements to require vendors to implement risk-based security programs aligned with state data protection laws.
Entity
Marriott International, Inc.
Also known as: Marriott
Industry
Other"Marriott International, Inc."
"$3.5 million to the State of Texas"
"$52 million payment to the 50 states participating in this settlement"
"Texas law is clear that companies in possession of Texans’ personal information have a duty to safeguard that data"
"breach of one of the company’s reservation databases. The breach exposed 131 million guest records pertaining to customers in the United States and these records included contact information, gender, dates of birth, legacy Starwood Preferred Guest information, reservation information, and hotel stay preferences, as well as a limited number of unencrypted passport numbers and unexpired payment card information."
"131 million guest records pertaining to customers in the United States"
$52.0M
A multistate coalition of 50 attorneys general, including New Jersey, reached a $52 million settlement with Marriott International, Inc. for two data breaches that exposed personal information of over 131 million consumers. The breaches resulted from inadequate cybersecurity practices at Starwood and Marriott networks. The settlement mandates comprehensive security improvements and monetary penalties.
$52.0M
A multistate coalition of 50 attorneys general led by New York AG Letitia James reached a $52 million settlement with Marriott International, Inc. over a 2014-2018 data breach of its Starwood subsidiary’s guest reservation database that exposed 131.5 million consumers’ personal information. The breach, which went undetected for four years, compromised contact details, dates of birth, passport numbers, payment card information, and loyalty program data. Marriott is required to overhaul its data security practices, implement new compliance measures, and allow customers to delete their stored data as part of the settlement.
$52.0M
A multistate settlement with Marriott International for a data breach affecting 131.5 million guest records. Marriott failed to secure the Starwood network from 2014 to 2018, exposing personal information. The settlement includes a $52 million payment and requires Marriott to implement enhanced cybersecurity measures and consumer protections.
Texas Attorney General Ken Paxton launched an investigation into Meta's Meta AI Glasses over allegations of unlawful facial biometric data collection, deceptive privacy practices, and unauthorized sharing of user data with subcontractors. The investigation follows concerns that the glasses' always-on recording mode lacks proper user notice, planned facial recognition features would collect data without consent, and private user videos are accessed by third-party annotators in Kenya. The AG issued a Civil Investigative Demand to Meta to determine violations of Texas privacy laws.
Texas Attorney General Ken Paxton launched an investigation into Meta regarding its Meta AI Glasses, alleging unlawful collection of facial biometric data, deceptive privacy representations, and unauthorized sharing of user data with subcontractors. The investigation follows concerns that the glasses’ always-on recording mode lacks proper notice, subcontractors access private user content including intimate moments, and Meta plans to deploy facial recognition technology to collect unsuspecting individuals’ facial geometry. The AG issued a Civil Investigative Demand to determine if Meta violated Texas law by deceptively misrepresenting its data use practices.
Texas Attorney General Ken Paxton filed a lawsuit against proxy advisory firm Institutional Shareholder Services, Inc. (ISS) alleging violations of the Texas Deceptive Trade Practices Act by prioritizing political agendas over sound financial guidance in voting recommendations. The lawsuit seeks an injunction to stop deceptive practices and civil penalties of up to $10,000 per DTPA violation. This action follows a 2025 investigation into ISS and peer firm Glass Lewis & Co.