A few points of interest and shows they had some active notification system that alerted them.
Page 2 Section B:
On September 8, 2018, Accenture, which managed the Starwood Guest Reservation
Database, contacted Marriott’s IT team with information about a Guardium alert generated on
September 7. Guardium is an IBM security product used on the Starwood system to help secure
databases. The Guardium alert was triggered by a query from an administrator’s account to return the count of rows from a table in the database. Such a query would not return the content of these rows, only the total number of rows in the table. As part of our investigation into the alert, we learned that the individual whose credentials were used had not actually made the query.
Page 3 Section C:
In early October 2018, the investigators found on some systems evidence of malware, including MimiKatz, a tool that searches a device’s memory for usernames and passwords.