Interestingly after doing some further this gives me a bit more confidence in Marriotts cyber security.
Marriott "merged" with Starwood in 2016 in one of these mergers that's really a takeover.
Looks like their systems integration started in 2017, and this August they combined their loyalty schemes.
This sounds very much like they finished wrapping starwoods systems into their cyber security monitoring and immediately found something nasty that the smaller company previously didn't have sufficient tools or processes to catch.
I'm still cheesed off that I'm affected due to a stay back in 2011, for which they had no reason to retain my details.