Illustration: Rebecca Zisser/Axios

Marriott's disclosure of a data breach — dating back to 2014 and affecting as many as 500 million customers — puts the hotel industry under a harsh regulatory microscope and could be a test case for Europe's stringent new data laws.

The big picture: This would be the 2nd biggest breach of all time, trailing only Yahoo! in 2013, based on Marriott's initial disclosure. This is by far the biggest breach disclosure since the European laws came into effect earlier this year.

The breach was in the Starwood reservations system, which has 11 brands and roughly 1,200 properties in its portfolio, including Sheraton, St. Regis, Westin and W Hotels. Marriott bought Starwood for $13.6 billion in 2016.

  • "For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences," the company said in a statement.
  • "For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128)."
  • "There are two components needed to decrypt the payment card numbers..."
  • "At this point, Marriott has not been able to rule out the possibility that both were taken."

Between the lines: "The Marriott hack joins a list of breaches to hit the hospitality industry in recent years. Security analysts say the industry is a ripe target for criminal actors because of the wealth of financial and other information flowing through payment and reservation systems." [WSJ]

  • "Given the volume and sensitivity of personal data taken, and the length of the breach, Marriott 'has the potential to trigger the first hefty G.D.P.R. fine,' said Enza Iannopollo, a security analyst with Forrester Research, referring to the European data protection law enacted earlier this year." [NYT]
  • "News of the breach sparked questions among cybersecurity experts about whether the hackers were criminals collecting data for identity theft or nation-state spies collecting information on travelers worldwide, including possibly diplomats, business people or intelligence officials as they moved around the globe." [Washington Post]

What's next: "Attorneys general in Connecticut, Illinois, Massachusetts, New York and Pennsylvania said they would investigate the attack, as did the UK’s Information Commissioner’s Office," Reuters reported.

The bottom line: "With all of the big breaches, it's easy to get apathetic about security," Axios cybersecurity reporter Joe Uchill explains. "I no longer blink unless breaches affect more than 1 million people, which was still a huge number of accounts just a few years ago."

  • "But it's important to remember that every data breach presents danger to millions of people, and possibly to you."

Go deeper: Behind the Marriott breach's "500 million affected" tally

Subscribe to Axios AM/PM for a daily rundown of what's new and why it matters, directly from Mike Allen.
Please enter a valid email.
Please enter a valid email.
Server error. Please try a different email.
Subscribed! Look for Axios AM and PM in your inbox tomorrow or read the latest Axios AM now.

Go deeper

What Matters 2020

The missed opportunities for 2020 and beyond

Photo illustration: Sarah Grillo/Axios. Photos: Jason Armond (Los Angeles Times), Noam Galai, Jabin Botsford (The Washington Post), Alex Wong/Getty Images

As the 2020 presidential campaign draws to a close, President Trump and Joe Biden have focused little on some of the most sweeping trends that will outlive the fights of the moment.

Why it matters: Both have engaged on some issues, like climate change and China, on their own terms, and Biden has addressed themes like economic inequality that work to his advantage. But others have gone largely unmentioned — a missed opportunity to address big shifts that are changing the country.

Updated 1 min ago - Politics & Policy

Coronavirus dashboard

Illustration: Aïda Amer/Axios

  1. Politics: Pence chief of staff Marc Short tests positive for coronavirus — COVID-19 looms over White House Halloween celebrations.
  2. Health: Fauci says maybe we should mandate masks if people don't wear them — America was sick well before it ever got COVID-19.
  3. World: Polish President Andrzej Duda tests positive for COVID-19.

Pence chief of staff Marc Short tests positive for coronavirus

Marc Short with Katie Miller, Vice President Pence's communications director, in March. Photo: Doug Mills/The New York Times via Reuters

Marc Short, Vice President Mike Pence’s chief of staff, tested positive for the coronavirus Saturday and is quarantining, according to a White House statement.

Why it matters: Short is Pence's closest aide, and was one of the most powerful forces on the White House coronavirus task force.