Hyatt Corp. is alerting customers about another credit card breach at some hotels, the second major incident with the hospitality chain in as many years.
Hyatt said its cyber security team discovered signs of unauthorized access to payment card information from cards manually entered or swiped at the front desk of certain Hyatt-managed locations between March 18, 2017 and July 2, 2017.
“Upon discovery, we launched a comprehensive investigation to understand what happened and how this occurred, which included engaging leading third-party experts, payment card networks and authorities,” the company said in a statement. “Hyatt’s layers of defense and other cybersecurity measures helped to identify and resolve the issue. While this incident affects a small percentage of total payment cards used at the affected hotels during the at-risk dates.
The hotel chain said the incident affected payment card information – cardholder name, card number, expiration date and internal verification code – from cards manually entered or swiped at the front desk of certain Hyatt-managed locations. It added there is no indication that any other information was involved.
In late 2015, Hyatt announced that for about four months that year hackers had gained access to credit card systems at 250 properties in 50 different countries. This time, the breach appears to have impacted 41 properties across 11 countries. Only five of the Hyatt properties affected in this most recent breach included U.S. locations, including three resorts in Hawaii and one each in Guam and Puerto Rico.
The nation with the largest number of Hyatt properties impacted was China (18). The company has published a list of the affected hotels here.
Each time one of these breach stories breaks, I hear from a number of readers who say they believe their cards were impacted based on some fraudulent activity on their cards. One thing I try to stress to those readers is that there are so many merchants both online and offline that are compromised by card-stealing malicious software that it is very likely that their card numbers were stolen from multiple victim companies.
The most important thing to bear in mind with all these card breaches is that consumers are not liable for fraudulent charges, it still usually falls to you the consumer to spot and report any suspicious charges. So keep a close eye on your statements, and consider signing up for text message notifications of new charges if your card issuer offers this service. Most of these services also can be set to alert you if you’re about to miss an upcoming payment, so they can also be handy for avoiding late fees and other costly charges.
For anyone curious about why the hotel industry has been so heavily targeted over the past few years, check out some of the case studies published by Trustwave Spiderlabs. Organized crime groups (most notably the Carbanak gang) have been targeting customer service and reservations specialists at various hospitality chains with tailored social engineering attacks that involve well-aged fake companies and custom malware.
Brian Krebs worked as a reporter for The Washington Post from 1995 to 2009, authoring more than 1,300 blog posts for the Security Fix blog, as well as hundreds of stories for washingtonpost.com and The Washington Post newspaper, including eight front-page stories in the dead-tree edition and a Post Magazine cover piece on botnet operators. He was recently profiled in Business Week and by Poynter.org.