In a recent court case Marriott has revealed that it was actually securing data using SHA-1 and not the more secure AES-128 encryption algorithm. Marriott was arguing that the encryption they were using was so strong the case against them should have been dismissed, however they recently revealed they were actually using SHA-1 at the time of the breach, which only provides hashing, not encryption. SHA-1 is not a secure algorithm and can easily be defeated. The initial breach was in November 2018 and compromised payment card numbers and certain passport numbers.
More info at CSO Online!