Nov 30, 2018

Massive Marriott breach sparks international calls for investigation

Illustration: Rebecca Zisser/Axios

Marriott's disclosure of a data breach — dating back to 2014 and affecting as many as 500 million customers — puts the hotel industry under a harsh regulatory microscope and could be a test case for Europe's stringent new data laws.

The big picture: This would be the 2nd biggest breach of all time, trailing only Yahoo! in 2013, based on Marriott's initial disclosure. This is by far the biggest breach disclosure since the European laws came into effect earlier this year.

The breach was in the Starwood reservations system, which has 11 brands and roughly 1,200 properties in its portfolio, including Sheraton, St. Regis, Westin and W Hotels. Marriott bought Starwood for $13.6 billion in 2016.

  • "For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences," the company said in a statement.
  • "For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128)."
  • "There are two components needed to decrypt the payment card numbers..."
  • "At this point, Marriott has not been able to rule out the possibility that both were taken."

Between the lines: "The Marriott hack joins a list of breaches to hit the hospitality industry in recent years. Security analysts say the industry is a ripe target for criminal actors because of the wealth of financial and other information flowing through payment and reservation systems." [WSJ]

  • "Given the volume and sensitivity of personal data taken, and the length of the breach, Marriott 'has the potential to trigger the first hefty G.D.P.R. fine,' said Enza Iannopollo, a security analyst with Forrester Research, referring to the European data protection law enacted earlier this year." [NYT]
  • "News of the breach sparked questions among cybersecurity experts about whether the hackers were criminals collecting data for identity theft or nation-state spies collecting information on travelers worldwide, including possibly diplomats, business people or intelligence officials as they moved around the globe." [Washington Post]

What's next: "Attorneys general in Connecticut, Illinois, Massachusetts, New York and Pennsylvania said they would investigate the attack, as did the UK’s Information Commissioner’s Office," Reuters reported.

The bottom line: "With all of the big breaches, it's easy to get apathetic about security," Axios cybersecurity reporter Joe Uchill explains. "I no longer blink unless breaches affect more than 1 million people, which was still a huge number of accounts just a few years ago."

  • "But it's important to remember that every data breach presents danger to millions of people, and possibly to you."

Go deeper: Behind the Marriott breach's "500 million affected" tally

Go deeper

Coronavirus dashboard

Illustration: Aïda Amer/Axios

  1. Global: Total confirmed cases as of 5 a.m. ET: 5,595,091 — Total deaths: 350,752 — Total recoveries — 2,300,985Map.
  2. U.S.: Total confirmed cases as of 5 a.m. ET: 1,681,418 — Total deaths: 98,929 — Total recoveries: 384,902 — Total tested: 14,907,041Map.
  3. Federal response: DOJ investigates meatpacking industry over soaring beef pricesMike Pence's press secretary returns to work.
  4. Congress: House Republicans to sue Nancy Pelosi in effort to block proxy voting.
  5. Tech: Twitter fact-checks Trump's tweets about mail-in voting for first timeGoogle to open offices July 6 for 10% of workers.
  6. Public health: Coronavirus antibodies could give "short-term immunity," CDC says, but more data is neededCDC releases guidance on when you can be around others after contracting the virus.
  7. What should I do? When you can be around others after contracting the coronavirus — Traveling, asthma, dishes, disinfectants and being contagiousMasks, lending books and self-isolatingExercise, laundry, what counts as soap — Pets, moving and personal healthAnswers about the virus from Axios expertsWhat to know about social distancingHow to minimize your risk.
  8. Other resources: CDC on how to avoid the virus, what to do if you get it, the right mask to wear.

Subscribe to Mike Allen's Axios AM to follow our coronavirus coverage each morning from your inbox.

Updated 6 mins ago - Politics & Policy

When going back to work isn't safe

Illustration: Sarah Grillo/Axios

As states open up, businesses are starting to call their employees back to work, but many don’t feel safe going back.

Why it matters: This is poised to be the next big challenge in the American economy: workers may be forced to chose between their health and their livelihood.

Minneapolis unrest as hundreds protest death of George Floyd

Tear gas is fired as police clash with protesters demonstrating against the death of George Floyd outside the 3rd Precinct Police Precinct in Minneapolis, Minnesota, on Tuesday. Photo: Stephen Maturen/Getty Images

Minneapolis police used tear gas during clashes with protesters demonstrating Tuesday night over the death of George Floyd, an African American who died in police custody, according to multiple news reports and images shared to social media.

Driving the news: The FBI is investigating Floyd's death after video emerged of a Minneapolis police officer kneeling on his neck for several minutes, ignoring protests that he couldn't breathe. Hundreds of protesters attended the demonstration at the intersection where Floyd died, per the Guardian.