It's likely that Marriott will argue it was hit with breach-by-acquisition, as a result of acquiring Starwood and any information security issues that came along with it.
And now we've come across a very interesting story in Forbes about the possibility of unreported Marriott hacks and a string of alleged cybersecurity issues with Starwood Hotels & Resorts Worldwide, which Marriott acquired in September 2016.
Here's one excerpt from the story where Forbes spoke with a researcher and founder at a security vendor about network vulnerabilities at Starwood:
One was the use of an easily guessable password for Starwood’s ServiceNow cloud computing service. Within the ServiceNow portal, it’s possible to access businesses’ financial records, IT security controls and bookings information.
Going back to 2014, the year when Marriott said Starwood’s network had been hacked, Holden claimed there was a serious vulnerability on the company’s website. Known as an SQL injection bug, it could’ve been exploited to gain access to Starwood databases. He said that such vulnerabilities and even services offering to hack Starwood were being offered amongst hackers on the Dark Web back in 2014.
That same year, Starwood point-of-sale systems had been hacked.
And these are only some of the allegations in the article.