Illustration: Rebecca Zisser/Axios

Marriott's disclosure of a data breach — dating back to 2014 and affecting as many as 500 million customers — puts the hotel industry under a harsh regulatory microscope and could be a test case for Europe's stringent new data laws.

The big picture: This would be the 2nd biggest breach of all time, trailing only Yahoo! in 2013, based on Marriott's initial disclosure. This is by far the biggest breach disclosure since the European laws came into effect earlier this year.

The breach was in the Starwood reservations system, which has 11 brands and roughly 1,200 properties in its portfolio, including Sheraton, St. Regis, Westin and W Hotels. Marriott bought Starwood for $13.6 billion in 2016.

  • "For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences," the company said in a statement.
  • "For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128)."
  • "There are two components needed to decrypt the payment card numbers..."
  • "At this point, Marriott has not been able to rule out the possibility that both were taken."

Between the lines: "The Marriott hack joins a list of breaches to hit the hospitality industry in recent years. Security analysts say the industry is a ripe target for criminal actors because of the wealth of financial and other information flowing through payment and reservation systems." [WSJ]

  • "Given the volume and sensitivity of personal data taken, and the length of the breach, Marriott 'has the potential to trigger the first hefty G.D.P.R. fine,' said Enza Iannopollo, a security analyst with Forrester Research, referring to the European data protection law enacted earlier this year." [NYT]
  • "News of the breach sparked questions among cybersecurity experts about whether the hackers were criminals collecting data for identity theft or nation-state spies collecting information on travelers worldwide, including possibly diplomats, business people or intelligence officials as they moved around the globe." [Washington Post]

What's next: "Attorneys general in Connecticut, Illinois, Massachusetts, New York and Pennsylvania said they would investigate the attack, as did the UK’s Information Commissioner’s Office," Reuters reported.

The bottom line: "With all of the big breaches, it's easy to get apathetic about security," Axios cybersecurity reporter Joe Uchill explains. "I no longer blink unless breaches affect more than 1 million people, which was still a huge number of accounts just a few years ago."

  • "But it's important to remember that every data breach presents danger to millions of people, and possibly to you."

Go deeper: Behind the Marriott breach's "500 million affected" tally

Go deeper

BP's in the red, slashing its dividend and vowing a greener future

Photo: Ben Stansall/AFP via Getty Images

BP posted a $6.7 billion second-quarter loss and cut its dividend in half Tuesday while unveiling accelerated steps to transition its portfolio toward low-carbon sources.

Why it matters: The announcement adds new targets and details to its February vow to become a "net-zero" emissions company by mid-century.

Women-focused non-profit newsrooms surge forward in 2020

Illustration: Eniola Odetunde/Axios

Women are pushing back against the gender imbalance in media by launching their own news nonprofits and focusing on topics many traditional news companies have long ignored.

Why it matters: "The news business is already gendered," says Emily Ramshaw, co-founder and CEO of The 19th*, a new nonprofit, nonpartisan newsroom reporting at the intersection of women, politics and policy.

The U.S. is now playing by China's internet rules

Illustration: Aïda Amer/Axios

President Trump's crackdown on TikTok suggests that the U.S. government is starting to see the internet more like China does — as a network that countries can and should control within their borders.

The big picture: Today's global internet has split into three zones, according to many observers: The EU's privacy-focused network; China's government-dominated network; and the U.S.-led network dominated by a handful of American companies. TikTok's fate suggests China's model has U.S. fans as well.