New York Times was reporting earlier this week that methods behind the Marriott hack were same as used by the Chinese government hackers that penetrated number of US institutions earlier this decade.
The information gathered were likely then used mainly for espionage purposes rather than trying to use the compromised credit cards or points.
Here’s an excerpt from the New York Times (access their piece here):
The cyberattack on the Marriott hotel chain that collected personal details of roughly 500 million guests was part of a Chinese intelligence-gathering effort that also hacked health insurers and the security clearance files of millions more Americans, according to two people briefed on the investigation.
The hackers, they said, are suspected of working on behalf of the Ministry of State Security, the country’s Communist-controlled civilian spy agency. The discovery comes as the Trump administration is planning actions targeting China’s trade, cyber and economic policies, perhaps within days.
Those moves include indictments against Chinese hackers working for the intelligence services and the military, according to four government officials who spoke on the condition of anonymity. The Trump administration also plans to declassify intelligence reports to reveal Chinese efforts dating to at least 2014 to build a database containing names of executives and American government officials with security clearances.
If government backed entity wants to hack into any private enterprise, it is probably very difficult to prevent considering the resources and technology such entity has access to.
It remains to be seen whether these Chinese were the only one on the cookie jar or if other entities too had access to the Starwood customer data.
I would assume that US government through NSA has access to this information directly (at least to those of non-US citizens) staying at any Marriott affiliated property worldwide.