The Marriott database contains not only credit card information but passport data.
The spies stole passport numbers of up to 327 million people – many of whom stayed at Sheraton, Westin and W hotels and at other Starwood-branded properties.
The hacking was discovered only in September and revealed late last month.
But Marriott has not said if it would pay to replace those passports, an undertaking that would cost tens of billions of dollars.
The discovery comes as US President Donald Trump’s administration is planning actions targeting China’s trade, cyber and economic policies.
The actions also include indictments against Chinese hackers working for the intelligence services and the military.
The administration is also planning to declassify intelligence reports to reveal Chinese efforts dating to at least 2014 to build a database containing names of executives and American government officials with security clearances.
The Marriott hacking is not expected to be part of the coming indictments.
In response to the development, Geng Shuang, a spokesman for China’s Ministry of Foreign Affairs, denied any knowledge of the Marriott hacking.
“China firmly opposes all forms of cyberattack and cracks down on it in accordance with the law.”
If offered evidence, the relevant Chinese departments will carry out investigations according to the law.”