Colorado Receives $822,434 from Marriott Data Breach Settlement: A Victory for Consumer Protection

In a significant win for consumer protection, Colorado has been awarded $822,434 in a nationwide settlement over Marriott’s massive data breach. The settlement comes after a multi-year investigation, led by Attorney General Phil Weiser and nearly every state attorney general in the country, into the hotel giant’s failure to safeguard customer information.

The breach, which affected Marriott’s Starwood guest reservation system, went undetected for years, allowing criminals to steal sensitive personal data from millions of guests between July 2014 and September 2018. In the U.S. alone, over 131 million guest records were compromised, including contact details, passport numbers, credit card information, and even hotel stay preferences.

“We’re not just holding Marriott accountable for the damage caused by their failure to protect customers—we’re also making sure they do a better job going forward,” Weiser said in a statement. The $52 million nationwide settlement is a reflection of Marriott’s lapses in cybersecurity, with Colorado receiving about 1.6% of that total.

The consequences of Marriott’s lax security were staggering. Stolen data included unexpired credit cards, passport numbers, and even reservation details. The breach was a massive violation of trust, affecting millions of people who had no idea their personal information had fallen into the wrong hands for years.

Attorney General Weiser made it clear that Marriott’s mistakes weren’t just careless—they were a violation of the law. “The law makes it clear to companies that they have to implement reasonable cybersecurity safeguards,” he said. “By failing to comply with the law, Marriott harmed those whose data was stolen.”

The settlement requires Marriott to overhaul its cybersecurity practices, including improving employee training, implementing stronger security policies, and conducting regular third-party risk assessments. It’s a stern reminder to corporations that cybersecurity is a critical responsibility, not an afterthought.

Colorado’s share of the settlement will help with restitution efforts and signals a step forward in holding corporations accountable for their handling of personal data. Consumers in Colorado and across the country can now hope for better protection as companies like Marriott face greater scrutiny and oversight.

As the dust settles on this historic case, one thing is certain: data security isn’t just a technical issue—it’s a matter of trust. And as this settlement shows, when that trust is broken, the consequences can be costly.