Starwood outsourced most of their DBA activities to Accenture India over the affected period - so, you know, you get what you pay for.
And it's also quite likely the breach is not as old as they say it was - they wanted to backdate it to well before GDPR came into effect, otherwise the fines would bankrupt Marriott