What happened?
In October 2024, Marriott International reached a settlement with the Federal Trade Commission (FTC), agreeing to pay $52 million as well as to restore loyalty points stolen by cybercriminals from its Bonvoy program, which has over 200 million members. The settlement arises from multiple high-profile data breaches, where sensitive customer information was compromised, affecting millions of guests.
Quick background
Shortly after Marriott’s acquisition of Starwood Hotels in 2016, a significant data breach exposed the information of approximately 383 million guests and was linked to a multi-year intrusion into Starwood's systems, occurring between 2014 and 2018. The compromised data included sensitive information such as passport numbers, payment details, personal identification data, and – you guessed it – loyalty points. In addition, Marriott reported a separate breach in 2020 that affected 5 million guests, further amplifying concerns regarding the security of customer data.
How the recent decision impacts loyalty programs
The FTC’s decision reflects a growing recognition of the potential harm caused by data breaches, not just in terms of personal information loss but also regarding loyalty points – which have now been acknowledged as personal assets.
- Marking a change in federal agencies and regulators' perspective: Acknowledging loyalty points as personal assets – and subsequently restoring loyalty points – signifies a shift in how federal agencies perceive the impact of losing loyalty points for consumers.

