What is Marriott Data Breach?

Marriott's breach exposed the travel records and personal data of 500 million hotel guests — and the attackers had been inside the system for four years before anyone noticed.

Timeline

• 2014: Hackers breached Starwood Hotels' reservation database
• 2016: Marriott acquired Starwood for $13.6 billion — inheriting the breach unknowingly
• September 2018: Marriott detected the breach during a security review
• November 2018: Public disclosure — 500 million guests affected
• 2020: A second breach exposed 5.2 million additional guest records
• 2022: A third breach via social engineering compromised 20 GB of data

What Was Exposed (2018 Breach)

• 383 million guest records (names, addresses, phone numbers, email)
• 25.5 million passport numbers (5.25 million unencrypted)
• 8.6 million encrypted credit card numbers
• Arrival and departure dates
• Starwood Preferred Guest account information
• Travel patterns and booking history

Why Travel Data Matters

Movement Tracking

Four years of hotel reservations reveal detailed travel patterns — where someone goes, how often, who they travel with, and their routines.

Intelligence Value

Passport numbers, travel histories, and hotel stays are extremely valuable for intelligence agencies. The breach was attributed to Chinese intelligence.

Ongoing Vulnerability

With three separate breaches (2018, 2020, 2022), Marriott demonstrated a pattern of inadequate security — suggesting the company prioritizes convenience over guest privacy.

Regulatory Response

• UK ICO: Fined Marriott £18.4 million under GDPR (reduced from initial £99 million)
• FTC Settlement (2024): Required comprehensive security program and data minimization
• Multiple class action lawsuits