2018 Marriott Breach

From Privacy Wiki
Jump to navigation Jump to search
2018 Marriott Breach
Short Title Marriott Data Breach 2018
Location Global
Date November 30, 2018

Solove Harm Information Collection, Information Processing, Information Dissemination, Invasion
Information Names, addresses, passport numbers, email addresses, payment card information
Threat Actors Unidentified hackers

Affected Approximately 500 million Marriott customers who had stayed at Starwood hotels and resorts
High Risk Groups Individuals who had sensitive personal information exposed
Tangible Harms Potential for identity theft, financial fraud

A security breach impacting Marriott International's Starwood guest reservation database was disclosed in November 2018. About 500 million customers' personal information, including names, addresses, passport numbers, email addresses, and some payment card information, was exposed as a result of the breach, which has been going on since 2014. Unknown hackers were responsible for the intrusion. Investigations under the GDPR and different state data breach notification regulations in the US resulted from it. Along with the reputational impact to Marriott, the incident could have led to financial fraud and identity theft.


A notable security event in 2018 involving millions of guests who had been at Starwood hotels and resorts was the Marriott data leak. Unauthorized access and capture of personal data, including delicate information like passport numbers, occurred during the hack. The incident made the affected people worried about money fraud and identity theft. Under GDPR and numerous state data breach notification regulations in the United States, Marriott was subject to legal investigation. Both normative harms—such as invasion of privacy and interference with decision-making—and concrete harms—potential financial losses and harm to Marriott's reputation—were caused by the incident.

Laws and Regulations

Investigation under GDPR (European Union's General Data Protection Regulation) and various U.S. state data breach notification laws