For nearly eight years, tens of millions of hotel guests have waited to learn whether Marriott International would face a courtroom reckoning over one of the largest data breaches ever disclosed. In May 2026, a federal judge in Maryland answered that question: yes.
U.S. District Judge Paul W. Grimm certified a class action on behalf of roughly 45 million guests whose personal information was compromised in the Starwood reservation database breach. The ruling clears guests in six states – California, Connecticut, Florida, Georgia, Maryland, and New York – to pursue individual damages as a group. The central question now shifts from whether the case can proceed to what Marriott owes each person whose name, passport number, email address, or payment card data was stolen.
The breach and its scale
Marriott disclosed in November 2018 that attackers had been inside the Starwood reservation system since 2014, two full years before Marriott completed its acquisition of Starwood Hotels & Resorts. The company initially estimated that up to 500 million guest records were exposed. In January 2019, it revised that figure to approximately 383 million.
The compromised data included names, mailing addresses, phone numbers, dates of birth, email addresses, passport numbers, Starwood Preferred Guest account details, and in some cases encrypted payment card numbers. Court filings in the multidistrict litigation docket describe how attackers moved laterally within the network and exfiltrated data over roughly four years without detection.
Plaintiffs argue that the length and scope of the intrusion point to systemic security failures: insufficient network monitoring, inadequate encryption of sensitive fields, and a failure to remediate known vulnerabilities during and after the Starwood acquisition. Marriott has maintained that it acted promptly once the breach was discovered.
Why six states, not fifty
Data-breach class actions frequently collapse when plaintiffs try to certify a single nationwide class. Consumer-protection statutes, negligence standards, and damages rules vary sharply from state to state, and courts often find those differences make a nationwide class unmanageable. The Equifax breach litigation, for comparison, ultimately settled rather than face that fragmentation at trial.
Here, plaintiffs took a narrower path. By seeking certification in six states with relatively strong consumer-protection frameworks, they sidestepped the manageability objections that have derailed other large-scale breach cases. The judge agreed that common questions of fact and law predominate within each state subclass, clearing the way for liability and damages to be tried on a classwide basis rather than guest by guest.
The 45 million figure reflects the estimated number of affected guests with connections to those six states, drawn from Starwood’s own reservation records. Exact per-state breakdowns remain sealed, which means Marriott’s precise financial exposure in each jurisdiction is difficult to pin down from public filings alone. Guests in other states are not part of this certified class, though separate litigation or future proceedings could potentially address their claims.
Regulatory actions already on the books
The class action is not the only front where Marriott has faced consequences. The Federal Trade Commission brought an enforcement action under administrative matter 192-3022, resulting in a finalized consent order in October 2024. That order requires Marriott and Starwood to implement a comprehensive information-security program, conduct regular risk assessments, strengthen oversight of third-party service providers, and submit to periodic independent evaluations. The FTC did not impose a monetary penalty on consumers’ behalf, but its finding that Marriott’s prior security practices were inadequate hands plaintiffs a powerful piece of evidence for the civil case.
Separately, a coalition of 49 state attorneys general and the District of Columbia reached a $52 million multistate settlement with Marriott in October 2024. Beyond the payment, the agreement requires the company to adopt additional data-security safeguards and gives affected guests new options for managing their information, including the ability to request deletion of certain personal data. That settlement resolved state-level enforcement claims but explicitly does not extinguish the private class action, which seeks monetary relief for individual harms: identity-theft risk, time spent monitoring accounts, out-of-pocket costs, and the alleged diminished value of personal data.
What the damages fight will look like
Certification opens the courtroom door. Walking through it is a different challenge entirely.
Plaintiffs will need to translate abstract risks into concrete dollar amounts. Their legal teams are expected to present expert models estimating the increased probability of identity theft and fraud for people whose passport numbers or payment card data were exposed. They will also seek reimbursement for documented out-of-pocket costs, including credit-monitoring subscriptions, and compensation for the time guests spent freezing credit reports, disputing fraudulent charges, or replacing compromised documents like passports.
Marriott is expected to counter that many class members suffered no actual financial loss and that the company’s post-breach remediation, including free identity-monitoring services offered to affected guests, already addressed the harm. As of June 2026, Marriott has not publicly indicated whether it intends to appeal the certification ruling. Seeking appellate review of a class certification order is a common defense tactic in large-scale litigation, and if pursued, it could delay damages proceedings by months or longer.
Because the classes span six states, the court will also need to navigate differences in how each jurisdiction treats non-economic harms like emotional distress and loss of privacy. California and Connecticut, for example, have relatively expansive consumer-protection statutes that may support broader damages theories than Georgia or Maryland.
For context, the Equifax data breach, which exposed the records of roughly 147 million people, resulted in a settlement fund of up to $425 million. Individual payouts in that case were modest. Whether the Marriott litigation follows a similar pattern or produces a different outcome will depend heavily on how the damages evidence holds up at trial.
What affected guests should know right now
If you stayed at a Starwood-brand property before September 2018 and your reservation was in the Starwood system, your data may have been part of the breach. Starwood brands include W Hotels, Sheraton, Westin, Le Méridien, Four Points by Sheraton, Aloft, Element, St. Regis, and The Luxury Collection. (The Starwood Preferred Guest loyalty program has since been folded into Marriott Bonvoy, so current Bonvoy members who originally joined through Starwood may be affected.)
Guests in California, Connecticut, Florida, Georgia, Maryland, and New York are covered by the newly certified classes. No claims process has been announced yet. Class certification means the case can proceed to trial or settlement on behalf of the group, but individual payouts, if any, are likely months or years away.
In the meantime, affected guests can exercise data-deletion rights established under the multistate attorney general settlement and should continue monitoring financial accounts and credit reports for suspicious activity. Placing a free credit freeze with each of the three major bureaus (Equifax, Experian, and TransUnion) remains one of the most effective steps anyone can take after a breach of this kind.
Detailed court orders, any bellwether trial schedule, and updated case timelines are available through the federal PACER system.
Marriott’s three-front legal reality
Marriott now faces accountability on three simultaneous tracks. The FTC consent order mandates ongoing security improvements and independent audits. The multistate settlement imposes consumer-facing protections and cost the company $52 million. And the certified class action in Maryland puts the question of individual guest compensation squarely before a federal judge for the first time in this litigation’s history.
The company has not issued a detailed public statement on the certification ruling. Its SEC filings acknowledge the litigation as a material risk but do not estimate a specific liability range for the class action. Whether Marriott’s next step is a settlement offer, an appeal of the certification order, or preparation for trial will shape what 45 million guests ultimately receive. The legal terrain, after years of procedural gridlock, has shifted decisively in their favor.
David M. Keller is a finance writer based in Columbus, Ohio, covering personal finance and consumer-focused economic topics. He earned his degree in journalism from Ohio University and began his career reporting on local business and economic trends for a regional media outlet. Since then, he has contributed to a variety of online publications, focusing on clear, practical coverage of topics such as cost of living, debt, and everyday financial decision-making.
