If it started in 2014 I can easily blame SPG. I am by no means a fan of Marriott but assuming it wasn't a super obvious exploit and some SQL9 database on a Win 2000 server; it is unlikely to surface in any due diligence. There are many many many things I can blame Marriott for - this isn't one of them. And honestly - without knowing what the exploit was - I am not blaming SPG yet either. Sometimes things happen that shouldn't. I have had some (granted minor - but it's a much smaller business) data breaches happen while CEO and ultimately responsible; I am well above average technical - but no number of policies and training will catch every last thing that can go wrong