"At the end of February 2020, we identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property," Marriott said in a statement.
The incident follows a 2014 compromise of Starwood Hotels guest reservation database, which was acquired by Marriott in 2016. The breach, which exposed personal details of over 339 million guests globally, wasn't detected until November 2018, leading to it paying a fine of £99 million ($123 million) to the UK's data privacy regulator Information Commissioner's Office under GDPR laws.
They caught this one in two months! so they have that going for them.