← All breach guides

Marriott Data Breach — Exercise Your GDPR Rights

Marriott International suffered one of the largest ever hotel data breaches — a compromise of the Starwood reservation system that ran undetected from 2014 to 2018 and exposed up to 500 million guest records.

⚖️ Regulatory action: Marriott was fined £18.4 million by the UK ICO in 2020 for the Starwood breach (reduced from an initial £99 million notice).

What happened

2018 Up to 500 million guests affected

Hackers had access to the Starwood Hotels reservation system for four years before discovery. The breach exposed comprehensive guest profiles including passport numbers, payment cards, and travel history.

Data exposed:
  • Full names
  • Addresses
  • Phone numbers
  • Email addresses
  • Passport numbers
  • Dates of birth
  • Encrypted payment card numbers
  • Arrival and departure dates
2020 5.2 million guests affected

Login credentials of two Marriott employees were used to access guest information, exposing contact details, loyalty account data, and personal preferences.

Data exposed:
  • Names
  • Email addresses
  • Phone numbers
  • Loyalty account numbers
  • Employer and room preferences

What you can do

If you stayed at a Starwood or Marriott property between 2014 and 2020, your data may have been exposed. A GDPR access request reveals what Marriott holds — including whether your passport number, payment data, or travel history was part of the breach.

You have two key rights under GDPR:

Note: Marriott International processes EU guest data. Address your request to their Data Protection Officer via their privacy portal. Privacy portal ↗

Generate your access request

Fill in your details below. Address the completed letter to Marriott International's Data Protection Officer — find the contact details via the link above.

Dear Data Protection Officer,

I am writing to exercise my rights under the General Data Protection Regulation (GDPR). As an individual whose personal data you process, I am requesting the following information:

  1. Confirmation that you are processing my personal data.
  2. A copy of my personal data.
  3. The purposes of the processing.
  4. The categories of personal data concerned.
  5. The recipients or categories of recipients to whom my personal data has been or will be disclosed.
  6. The envisaged period for which my personal data will be stored, or the criteria used to determine that period.
  7. The existence of my right to request rectification or erasure of my personal data, or restriction of processing, or to object to such processing.
  8. Information about the source of my personal data if it was not collected directly from me.
  9. The existence of automated decision-making, including profiling, and meaningful information about the logic involved.

Below is my information for your reference:

Name:
Email:
Address:

This request is of utmost importance to me and should not be ignored. The GDPR mandates that you respond within one month. Failure to comply may result in further action being taken.

Thank you for your prompt attention to this matter.

Sincerely,,

Text copied to clipboard

1. Copy and send this letter to the data controller of the organisation.

2. Follow up until you hear back. The GDPR requires a response within one month.

3. No response? Lodge a complaint with your local data protection authority.

No response after one month? File a complaint with your DPA →

Select your country to find your data protection authority:

Share: