Nov 30, 2018

Axios PM

By Mike Allen
Mike Allen

Situational awareness: A 7.0 magnitude earthquake struck just north of Anchorage, Alaska, shaking buildings, cracking roads and pausing air traffic into the state's busiest airport.

1 big thing: Marriott's turn in the fire

Illustration: Rebecca Zisser/Axios

Marriott's disclosure of a data breach — dating back to 2014 and affecting as many as 500 million customers — puts the hotel industry under a harsh regulatory microscope and could be a test case for Europe's stringent new data laws.

The big picture: This would be the 2nd biggest breach of all time, trailing only Yahoo! in 2013, based on Marriott's initial disclosure. This is by far the biggest breach disclosure since the European laws came into effect earlier this year.

  • The breach was in the Starwood reservations system, which has 11 brands and roughly 1,200 properties in its portfolio, including Sheraton, St. Regis, Westin and W Hotels. Marriott bought Starwood for $13.6 billion in 2016.
  • "For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences," the company said in a statement.
  • "For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128)."
  • "There are two components needed to decrypt the payment card numbers..."
  • "At this point, Marriott has not been able to rule out the possibility that both were taken."

Between the lines:

  • "The Marriott hack joins a list of breaches to hit the hospitality industry in recent years. Security analysts say the industry is a ripe target for criminal actors because of the wealth of financial and other information flowing through payment and reservation systems." [WSJ]
  • "Given the volume and sensitivity of personal data taken, and the length of the breach, Marriott 'has the potential to trigger the first hefty G.D.P.R. fine,' said Enza Iannopollo, a security analyst with Forrester Research, referring to the European data protection law enacted earlier this year." [NYT]
  • "News of the breach sparked questions among cybersecurity experts about whether the hackers were criminals collecting data for identity theft or nation-state spies collecting information on travelers worldwide, including possibly diplomats, business people or intelligence officials as they moved around the globe." [Washington Post]

What's next: "Attorneys general in Connecticut, Illinois, Massachusetts, New York and Pennsylvania said they would investigate the attack, as did the UK’s Information Commissioner’s Office," Reuters reported.

The bottom line: "With all of the big breaches, it's easy to get apathetic about security," Axios cybersecurity reporter Joe Uchill emails. "I no longer blink unless breaches affect more than 1 million people, which was still a huge number of accounts just a few years ago."

  • "But it's important to remember that every data breach presents danger to millions of people, and possibly to you."

Go deeper: Behind the Marriott breach's "500 million affected" tally

Bonus: GIF du jour

Vladimir Putin and Saudi crown prince Mohammad bin Salman clasp hands at the G-20 today, with President Trump in the background.

2. What you missed
  1. Exclusive: Vaping giant Juul is facing employee resistance to a proposed investment by Altria Group, the maker of Marlboro cigarettes. Go deeper.
  2. USMCA has been signed: President Trump, Canadian Prime Minister Justin Trudeau and Mexican President Enrique Peña Nieto affixed their signatures at the G20 today. Go deeper.
  3. Dallas police officer Amber Guyger was indicted on a murder charge by a grand jury for shooting Botham Jean, an unarmed African American man, in his apartment while she was off duty. Go deeper.
  4. Millennials have "paid the price for coming of age" in the midst of the Great Recession and are less financially stable than previous generations, NPR reports.
  5. The NFL's ratings are up compared to last year's dip, but their ad revenue is still in the red after falling 19% through the first two months of this season, Bloomberg reports.
3. 1 fun thing

"Wizard of Oz" is the most influential movie of all time, according to a new study:

  • "The 1939 classic The Wizard of Oz has had the most impact in Hollywood, according to a report in the journal Applied Network Science."
  • "The team analyzed the impact of more than 47,000 films across 26 genres to determine which titles have had the most industry influence (not including short film or porn movies, which are probably safe to rule out anyway)."
Mike Allen