The only logical conclusion is the data must have been stolen as an academic exercise.

How lucky Marriott is, to have some good Samaritans to stress-test their security without the intention to misuse their user data.

The NYTimes article about this incident says:

> “Usually when stolen data doesn’t appear, it’s a state actor collecting it for intelligence purposes,” said James A. Lewis, a cybersecurity expert at the Center for Strategic Studies in Washington.

Not to downplay it but my email shows 3 breaches in haveibeenpwned.com, and I haven't had any problem till now, apart from probably more emails in spam folder.