Marriott International
MAR
Consumer Discretionary
4
exclusion reasons
4 themes
This page is part of our public exclusion list — a transparency tool that shows which companies we screen out and why. It is not investment advice, and it is not an accusation. But it is subject to change as our understanding of the facts evolves.
Marriott International has been subject to enforcement actions across three separate data breaches spanning 2014 to 2022, collectively affecting approximately 344 million customers worldwide. The most significant breach originated in Starwood Hotels' reservation database in 2014, continued undetected through Marriott's 2016 acquisition of Starwood, and was disclosed in November 2018 after exposing approximately 383 million guest records including unencrypted passport numbers, payment card data, and loyalty account information. The UK Information Commissioner's Office fined Marriott GBP 18.4 million for GDPR violations. In October 2024, 49 state attorneys general and the District of Columbia reached a $52 million settlement, and Texas separately settled for $3.5 million. The FTC imposed a 20-year consent order requiring a comprehensive security overhaul, multi-factor authentication, and biennial third-party security assessments. A second breach in 2020 exposed 5.2 million guest records after hackers obtained employee credentials; a third in 2022 involved 20 GB of data exfiltrated via social engineering at a Baltimore property.
Marriott paid $3.5M to settle a guest injury claim and faces a wrongful death lawsuit after a guest died from scalding burns at a Fairfield by Marriott property due to dangerously hot water systems.
Marriott has an NLRB finding of a Section 8(a)(1) violation for interfering with employees' rights to organize, with a documented $12,138 penalty. ViolationTracker records additional labor relations violations.
Marriott International participates in the political process through its corporate political action committee (Marriott International, Inc. PAC), which makes federal campaign contributions. The company’s stated policy is to engage in political activity to promote its business interests.
However, this political engagement occurs alongside a pattern of regulatory failures concerning consumer protection. The UK Information Commissioner’s Office (ICO) issued a notice of intention to fine Marriott £99.2 million for infringements of data protection law related to a major breach. Separately, the U.S. Federal Trade Commission (FTC) took action against Marriott in 2024 for security failures leading to multiple data breaches. In 2023, the company dismissed reports of guest surveillance at a franchised property in Poland as “unfounded” allegations. This record of significant regulatory penalties and defensive posturing in the face of consumer harm raises questions about whether the company’s political activities are leveraged to shield its operations from accountability for such practices.
Research Sources
11 organizations
Related Exclusions
Wondering what we do invest in?
The Naughty List
A digest of changes to our exclusion list — new additions, removals, and the evidence behind them. We review the list continuously as new evidence surfaces.
Companies appear on our exclusion list based on our investment judgment — not because they've done anything illegal. This is a difference of values and opinion, not an accusation of wrongdoing. Exclusion does not constitute a recommendation against investing in any company, and absence from the list does not constitute a recommendation to invest.
This information is provided for educational and transparency purposes only and should not be relied upon as investment advice. Data is drawn from independent watchdogs, NGOs, government registries, and Ethical Capital's ongoing research — see Research Sources for the full list.
Ethical Capital LLC is a state-registered investment adviser in Utah (CRD #316032). Registration does not imply a certain level of skill or training.