​​​​​So a hotel with lax security, malware, or a rogue guest/employee accessed 5.2 MILLION records? I don't fault the location at all when it is clearly a corporate failure.

Fire their corporate IT. All of them.

I assume even the largest, busiest hotel would only ever need to access 1000 or 2000 in a day. A peak usage fuse on the data should have been made and triggered a disconnect above 150% of normal inquiry rate.