Marriott Data Breach Lawsuit: Starwood Records Exposed
Data Breach · Litigation Ongoing

Marriott / Starwood Data Breach Class Action Lawsuit

Published July 14, 2026

If you stayed at a Sheraton, Westin, W, or other Starwood hotel before September 2018, your data was likely in the database behind one of the largest breaches ever disclosed. Here is where the lawsuit actually stands — and why there is nothing to claim.

Marriott / Starwood hotel branding, illustrating the Starwood guest reservation data breach class action, MDL 2879
Marriott disclosed the Starwood guest reservation database breach on November 30, 2018. The consumer class action is MDL No. 2879 in the District of Maryland.
Allegations Only · No Settlement Yet

This article describes a class action and related regulatory actions. The plaintiffs' statements are unproven allegations. Marriott has not been found liable in the consumer class action, there is no certified class right now, and there is nothing to claim. This page is informational and is not legal advice.

What Is This About?

Marriott International faces long-running class action litigation over a breach of the Starwood guest reservation database. The consolidated case is In re: Marriott International, Inc., Customer Data Security Breach Litigation, MDL No. 2879, in the U.S. District Court for the District of Maryland. IT services firm Accenture, which had operated Starwood's systems, is a co-defendant.

Marriott publicly disclosed the incident on November 30, 2018. The compromised system was legacy Starwood infrastructure — from the chains Marriott acquired in 2016 — that had never been migrated onto Marriott's own platforms. Marriott said the unauthorized access dated back to roughly 2014 and had gone undetected for years. Marriott has not been found liable in the consumer case, and the plaintiffs' claims remain unproven allegations.

Status In Litigation — Classes Decertified MDL 2879 · D. Md. · Fourth Circuit enforced the Starwood loyalty class-action waiver on June 3, 2025 · case on remand
Data Exposed Names, passports, contact & reservation data ~383M guest records (Marriott revised, from an initial ~500M estimate) · 5.25M unencrypted passport numbers · access ~2014–2018
Can I Claim? No — nothing to claim yet No consumer settlement or claim form · regulator settlements went to governments, not guests

What Was Exposed

Marriott said the affected information included guests' names, mailing addresses, phone numbers, email addresses, dates of birth, gender, Starwood Preferred Guest (SPG) account details, and reservation information such as arrival and departure dates. It also included about 5.25 million unencrypted passport numbers and roughly 20.3 million encrypted passport numbers, and, for some guests, encrypted payment card data. Marriott stated it could not rule out that the two components needed to decrypt the card data were also taken.

The headline record count has shifted over time, which is normal for a breach this size. Marriott's initial estimate was up to about 500 million records; after de-duplicating its investigation, it revised the figure down to roughly 383 million unique guest records. Regulators have separately described the total across Marriott and Starwood's series of incidents as more than 339 million guest records globally. Those numbers count different things — read any single figure with that caveat in mind.

The Class-Certification Fight

Unlike a typical breach case that is still deciding whether a class exists, the Marriott litigation has already been up and down on that exact question. A district court first certified multiple classes of affected guests in May 2022. The Fourth Circuit vacated that order and sent it back, pointing to a class-action waiver and choice-of-law provision in the SPG loyalty program contract. On remand, the district court re-certified the classes in November 2023, reasoning that Marriott had waived the waiver by litigating in the MDL.

In June 2025, the Fourth Circuit reversed again. In Maldini v. Marriott International, Inc. (and the companion appeal involving Accenture), the court held that the SPG class-action waiver was valid and enforceable and that Marriott had not waived it — decertifying the classes and remanding the case. As of mid-2026 there is no certified consumer class, and the enforceability of that loyalty-program waiver is the controlling obstacle to class treatment.

Is There a Marriott Settlement?

Not for consumers. Marriott has not settled with the consumer class, and with the classes decertified there is no claims administrator, no claim form, and no payout process for guests arising from the MDL. Any website advertising a "Marriott data breach payout" for guests is not describing this case accurately.

What has resolved is the government side — and none of it is a consumer claim fund:

FTC order (October 2024): The Federal Trade Commission required Marriott and Starwood to build a comprehensive information-security program and to give U.S. customers a way to request deletion of personal data tied to their account. There was no monetary penalty, and consumers do not file a claim under it.
Multistate Attorneys General settlement (~$52 million, October 2024): A coalition of roughly 50 states and D.C. required Marriott to pay $52 million to the states and adopt stronger security practices. The money goes to the states, not to guests.
UK ICO fine (~£18.4 million, 2020): A data-protection penalty paid to the UK regulator — again, not a consumer payout.

Who Is Affected and What You Can Do

The affected population is, generally, guests who made a reservation at a Starwood property — brands including Sheraton, Westin, W, St. Regis, and Le Meridien — on or before September 10, 2018, the point at which Marriott completed its move off the Starwood reservation system. Reservations made after that date were on Marriott's own system and outside this breach.

• Because passport numbers were involved for millions of guests, consider whether a passport replacement is warranted if you have specific concerns.
• Watch for phishing that references Marriott, Starwood, or Bonvoy accounts, and monitor your financial accounts.
• Consider a free credit freeze and fraud alerts — these are free and do not depend on the lawsuit.
• There is nothing to file right now; keep any breach notice you received in case a claims process later opens.

For breach settlements that are open and claimable now, see OCA's data breach settlements tracker.

Frequently Asked Questions

Is there a Marriott data breach settlement yet?

No consumer settlement or claim form exists. The consumer classes were decertified in June 2025. The FTC order and the ~$52M multistate settlement are government resolutions, not consumer payouts.

What was exposed?

Names, addresses, phone numbers, email addresses, dates of birth, SPG account and reservation details, about 5.25 million unencrypted passport numbers, and some encrypted payment card data.

Do I need to file a claim?

No. Because there is no consumer settlement, there is nothing to claim and no deadline. Keep any breach notice you received. If a class is certified or a settlement is reached, a claims process and deadlines would be announced separately.

Sources

• Justia Dockets — In re Marriott International Customer Data Security Breach Litigation, MDL No. 2879: JPML Docket (MDL 2879)
• U.S. Court of Appeals for the Fourth Circuit — Maldini v. Marriott International, Inc., No. 24-1064 (June 3, 2025), via Justia: Fourth Circuit Opinion
• Federal Trade Commission — action against Marriott and Starwood (Oct. 9, 2024): FTC Press Release
• New York Attorney General — $52 million multistate settlement with Marriott (Oct. 2024): NY AG Press Release
• Marriott — official Starwood database security incident update: Marriott Incident Page


For more class actions keep scrolling below.
Status In Litigation — Consumer Classes Decertified (on remand)
Case In re Marriott International, Inc., Customer Data Security Breach Litigation
MDL Number MDL No. 2879 · No. 8:19-md-02879
Court U.S. District Court, District of Maryland
Appeal Maldini v. Marriott Int'l, No. 24-1064 (4th Cir., June 3, 2025)
Disclosed November 30, 2018 · Starwood reservation database

Related Data Breach Cases & Settlements