New York CNN Business  — 

The chief executive of Marriott gave up some of his bonus pay last year after a hack exposed information about some 500 million guests. But he still made nearly $13 million.

The company said Wednesday that CEO Arne Sorenson asked not to receive bonuses for “individual achievement” or “guest satisfaction” following the data breach. He also declined a bonus that measures Marriott’s success against that of its competitors. And his salary did not increase last year.

Still, Sorenson took home about $12.9 million in pay, including $1.3 million in salary, a $2.9 million cash bonus and $8.4 million in stock awards. He also received nearly $256,000 in other benefits, including complimentary rooms, food and beverages at the company’s hotels and the use of golf and spa facilities while on personal travel.

That compares to total compensation of $13.3 million in the previous year.

Arne Sorenson

The data breach, which Marriott revealed in November, affected the reservation database of Starwood, a group of hotels Marriott bought in 2016 that includes the St. Regis, Westin, Sheraton and W Hotels.

Marriott is being sued by its customers over the hack, and it hasn’t yet estimated how much the breach will cost the company.

Morgan Stanley analysts suggested in December that the company could end up paying $200 million in legal fees and fines, as well as spending $1 per customer to notify them of the hack. That could cost upward of $700 million. Other estimates put the figure as high as $1 billion, but Marriott Chief Financial Officer Leeny Oberg told Bloomberg those forecasts were premature.

While Sorenson’s salary did not increase, the rest of the company’s C-Suite got 3% pay raises. Marriott justified the increases by citing its stock performance and saying that the hack did not materially hurt its bottom line.

Shares in Marriott have increased 9% since the hack. That lags the 14% gain for rival Hilton (HLT) during the same period, but is better than a 5% decline for Hyatt (H).

A spokesperson for Marriott (MAR) said in a statement that the company’s compensation reflects its performance and is set by independent board members.

Separately, Symantec reported Wednesday that the hospitality industry is still susceptible to attacks. Hotel booking sites in particular leak personal information, the security company said.

Two in three booking sites inadvertently leak booking reference codes to third-party sites, including advertisers. With that information, the third-parties could log into a reservation, cancel a booking or view a customer’s personal details. The advertisers would be able to view people’s names, email addresses, home addresses, phone numbers, the last four digits of their credit card numbers and passport numbers.

That’s the same kind of data that Marriott’s breach exposed.