Marriot Data Breach Claims

Marriott has been fined £18.4 million after a huge data breach.

Get justice for the Marriott International data breaches

In 2018, a huge data breach put 339 million Marriott International customers at risk.  While the Marriott data breach was discovered in 2018, it could affect customers who made a booking at one of the affected hotels and timeshare properties as far back as 2014.

Following the 2018 breach, Marriott has been fined 18.4 million by the Information Commissioner’s Office (ICO). But this payment will not be used to compensate victims.

While you think the hotel giant would have learned its lesson, this doesn’t seem to be the case. Because in 2020, Marriott confirmed another data breach – this time involving the personal information of 5.2 million guests.

If your data was put at risk by either of the Marriott data breaches, you may be able to make a compensation claim.

Marriott hotel data breaches

Marriott Data Breach (2018)


Marriott International Group admitted that around 339 million customers had their personal data put at risk. This makes the Marriott data hack one of the most serious data breaches of its kind.

In response, the Information Commissioner’s Office (ICO) fined the US hotel group Marriott International £18.4 million. If your data was put at risk by Marriott, you should now make a data breach compensation claim.

Marriott Data Breach (2020)

On Tuesday 31st March, Marriott announced that it was notifying some guests of a security incident involving an unspecified system at a franchise hotel. Marriott believes that up to 5.2 million guests may have been affected.
It has sent these people an email to confirm their involvement. If you receive this email, you can make a data breach compensation claim.

The 2018 Marriott data hack affected customers who made reservations at the following hotels and timeshare properties:

W Hotels


Aloft Hotels

Design Hotels

Sheraton Hotels & Resorts

Westin Hotels & Resorts

Element Hotels

The Luxury Collection

Le Méridien Hotels & Resorts

Tribute Portfolio

Four Points by Sheraton

Starwood timeshare properties

Why claim data breach compensation?

Hold Marriott to account for failing to protect your private information.

Receive financial compensation for your losses.

Force hotels to implement better data security.

Holding Marriott to account

The Marriot data breaches were able to happen as hotel group failed to implement reasonable and robust security processes. So, claiming compensation isn’t just in your best interests. The only way organisations will be persuaded to take their responsibilities seriously is by taking strong and decisive action.


Marriott Data Breach Timeline

  • 2014 - 10th September 2018
    Cybercriminals were able to repeatedly access, encrypt, and download mass amounts of customer data from the Starwood reservation system.
  • September 2016
    Marriott purchased Starwood. However, rather than migrate to Marriott's own reservation system, the business continued to use IT infrastructure inherited from Starwood.
  • 19th November 2018
    An internal investigation found that there had been unauthorised access to a database. This contained guest information relating to reservations at various Starwood properties. The investigation also revealed that 500 million guest records had been involved. Many of the records included extremely sensitive information such as credit card and passport numbers.
  • 30th November 2018
    Marriott announced the Starwood guest reservation Database security incident. Marriott also began sending emails to all affected guests.
  • December 2018
    The media reported that state-sponsored Chinese hackers were possibly behind the attack.
  • 9th July 2019
    Following an investigation into the breach, the ICO announced its intention to fine Marriott International, Inc more than £99 million under GDPR for data breach. Marriott appealed the fine. In response, the ICO said that it would consider carefully the representations made by the company and the other concerned data protection authorities before making a final decision.
  • Mid-January 2020
    In a further data breach, guest information was accessed using the login credentials of two employees at a franchise property.
  • February 2020
    Marriott discovered this second data breach.
  • 31st March 2020
    Marriott announced that it was notifying some guests of the security incident at the franchise hotel.
  • 30th October 2020
    The ICO fines Marriott International Inc £18.4million for the data protection breach discovered in 2018. The reduced fine was issued after the business made representations to the ICO. The impact of COVID-19 was also taken into account by the ICO. 

Latest News



Find out more about making a group action claim for compensation against Marriott.



What does no-win, no-fee actually mean and are there really no costs if you appoint us?

Why use Keller Lenkner UK to make a claim?

We are one of the most experienced multi-claimant law firms in the UK.

Our GDPR, data breach and cybercrime specialists have a combined experience of over 50 years.

We represent clients in group actions and individual cases with innovation, resources, and expertise.

We work with expert barristers to ensure you get the very best level of legal support available.

We have all the resources and global expertise necessary to take on complicated cases and win.

We have offices in Chancery Lane, London and Liverpool City Centre, and the technology to provide a nationwide service.

We use technology to deliver a better legal experience to our clients.

We work on a no-win, no-fee basis.

We make the process straightforward and hassle-free.


Your questions answered

See our answers to the FAQs we get asked about the Marriott Data Breach.

FAQs about the Marriott data breach

Marriott International suffered a cyber-attack in 2014 affecting millions of its guests yet the incident was not discovered until four years later.

Marriott International Group admitted that around 339 million customers had their personal data put at risk. This makes the Marriott data hack one of the most serious data breaches of its kind.

The vulnerability began when the systems of the Starwood hotels group were compromised in 2014. Marriott subsequently acquired Starwood in 2016.

The stolen data includes information such as passport numbers, emails, dates of birth, gender and mailing addresses, and in some cases reservation dates. Marriott also said that it was not able to rule out whether credit card information was exposed.

This theft of personal and financial information could lead to identity and financial fraud which has the potential to turn a person’s life upside down.

On Tuesday 31st March, Marriott announced that it was notifying some guests of a security incident involving an unspecified system at a franchise hotel. In a statement, the hotel chain said:

At the end of February 2020, the company identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property. The company believes that this activity started in mid-January 2020. Upon discovery, the company confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests. Marriott also notified relevant authorities and is supporting their investigations.

 Although Marriott’s investigation is ongoing, the company currently has no reason to believe that the information involved included Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers”.

The following information may have been compromised in the hack. Although Marriott states that not all of this information was present for every guest involved:

  • Contact details (e.g. name, mailing address, email address, and phone number)
  • Loyalty account information (e.g. account number and points balance, but not passwords)
  • Additional personal details (e.g. company, gender, and birthday day and month)
  • Partnerships and affiliations (e.g. linked airline loyalty programs and numbers)
  • Preferences (e.g. stay/room preferences and language preference).

The Information Commissioner’s Office (ICO) has investigated this data breach. The ICO is the independent authority charged with upholding data protection rights in the UK.

The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.

In response, the Information Commissioner’s Office (ICO) has fined the US hotel group Marriott International £18.4 million. 

No. While the ICO has the power to impose data breach fines, it does not give this money to victims of the data breach.

Customers who have been affected should have been told already. If you are a Marriott International customer and you haven’t received an email, make sure that you check your junk mail folder.

What can you claim for?

While each case is judged on its own merits, there are some things we would typically look for when it comes to when claiming compensation following a data breach, cybercrime or other GDPR violation:

Financial loses

With stolen data, cybercriminals can make purchases using your bank and credit cards, apply for credit in your name, set up fraudulent bank accounts and access your existing online accounts.


GDPR failures, cybercrime and data breaches can have a significant impact on you, both mentally and physically. They can cause or exacerbate anxiety, stress and other psychological conditions.

Loss of privacy

Your data has value, and organisations must be held to account if they fail to protect your right to data privacy or otherwise do not uphold your GDPR rights.

How to protect yourself following a data breach or cybercrime

  • Contact your bank or credit card provider immediately if your financial data has been exposed.
  • Check all bills and emails for goods or services you have not ordered.
  • Check your bank account for unfamiliar transactions.
  • Alert your bank or credit card provider immediately if there is any suspicious activity.
  • Monitor your credit score for any unexpected dips.
  • Call Credit, Experian and Equifax to ensure credit isn’t taken out in your name.
  • Never provide your PIN or full password to anyone (even someone claiming to be from your bank).
  • Never been pressured into moving money to another account for fraud reasons. A legitimate bank won’t ask you to do this.
  • Follow the security instructions provided by the organisation that breached your data.
  • Never automatically click on any suspicious links or downloads in emails or texts.
  • Don’t assume an email or phone call is authentic just because someone has your details.
  • Be careful who you trust – criminals often use scare tactics to try and trick you into revealing your security details.
  • Know that, even if you recognise a name or number, it might not be genuine.
  • Don’t be rushed or pressured into making a decision. A trustworthy organisation would never force you to make a financial transaction on the spot.
  • Never provide your full password, pin or security code to someone over the phone (or via message). If a bank believes a transaction has been fraudulent, they will not ask for this information to cancel the transaction.
  • Listen to your instincts and ask questions if something feels “off”.
  • Refuse requests for personal or financial information and stop discussions if you are at all unsure.
  • Contact your bank or financial service provider on a number you know and trust to check if a communication is genuine.
  • Be cautious of unsolicited communications that refer you to a web page asking for personal data.
  • Don’t accept friend requests from people you don’t know on social media.
  • Review your online privacy settings.
  • Report suspected fraud attempts to the police and Action Fraud.
  • Register with the Cifas protective registration service to slow down credit applications made in your name.
  • Change your passwords regularly and use a different password for every account (a password manager can help with this).
  • Protect your devices with up-to-date internet security software.