Colorado to receive $822,434 from nationwide Marriott guest reservation system data breach settlement

Oct. 9, 2024 (DENVER) – Attorney General Phil Weiser announced today that a bipartisan coalition of 50 attorneys general has reached a settlement with hotel chain Marriott International, Inc. after an investigation into a large, multi-year data breach revealed the company failed to comply with consumer protection and personal information protection laws.

Under the settlement with the attorneys general, Marriott agrees to strengthen its data security practices, provide consumers with better protections, and make a $52 million payment to states. Colorado will receive $822,434 from the settlement.

“The law makes it clear to companies that they have to implement reasonable cybersecurity safeguards,” said Weiser. “By failing to comply with the law, Marriott harmed those whose data was stolen. With this settlement, we are not only holding the company accountable for their failure to protect customers and follow the law, we are also requiring them to do a better job moving forward.”

The yearslong breach of the Starwood guest reservation system, during which time intruders went undetected, stretched from July 2014 until September 2018. In 2016, Marriott acquired Starwood and took over its computer system, but did not diagnose and reveal the breach until years later.

During the breach, criminals stole 131.5 million guest records pertaining to customers in the United States. The affected records included contact information, gender, dates of birth, legacy Starwood guest information, reservation information, and hotel stay preferences, as well as a limited number of unencrypted passport numbers and unexpired payment card information.

Shortly after Marriott announced the breach of the Starwood database, nearly every attorney general in the country launched an investigation. Today’s settlement resolves allegations by Weiser and the other attorneys general that Marriott violated state consumer protection laws and personal information protection laws.

Under the terms of the settlement, Marriott has agreed to strengthen and continually improve its cybersecurity practices by implementing better training for employees, adopting better data security policies, minimizing the amount of consumer data the company collects and retains, conducting risk assessments according to best practices including assessing potential risks when acquiring new companies and products, and undergoing regular third-party security assessments for the next 20 years.

Additionally, as part of the settlement, Marriott will give consumers a data deletion option and offer multi-factor authentication to consumers for their loyalty rewards accounts, such as Marriott Bonvoy, as well as reviews of those accounts if there is suspicious activity.

The settlement money Marriott will pay to the state may be used for any restitution where possible, consumer education or consumer protection enforcement, or efforts to advance the public welfare.

# # #

Most Recent

Attorney General Phil Weiser statement on victory in Live Nation / Ticketmaster monopoly case

April 15, 2026 (DENVER) – Attorney General Phil Weiser released the following statement after a jury found Live Nation, parent company of Ticketmaster, is an illegal monopoly in the live entertainment industry: “Today’s jury verdict in our Live Nation/Ticketmaster monopoly case […]

Attorney General Phil Weiser announces $773M agreement with Albertsons for its role in opioid crisis

April 14, 2026 (DENVER) – Attorney General Phil Weiser today announced an agreement in principle that would require the Albertsons grocery chain to pay more than $773.7 million to address its role in the opioid epidemic. Colorado will receive at […]

Safe2Tell reports lead to life-saving interventions for Colorado students in March

April 14, 2026 (DENVER) – The Colorado Attorney General’s Office today announced that Safe2Tell received 2,603 reports in March 2026, including reports that led to immediate, life-saving intervention for students in crisis. In one case, a report of a student […]