[BreachExchange] Hyatt Hotels data breach: Hackers accessed visitors' credit card info from 41 hotels in 11 countries

[Audrey McNeil]

http://www.ibtimes.co.uk/hyatt-hotels-data-breach-hackers-accessed-visitors-
credit-card-info-41-hotels-11-countries-1642987

Hyatt Hotels discovered that its payment systems were breached, exposing
visitors' payment card information from 41 hotels in 11 countries earlier
this year. The hospitality giant said its cybersecurity team found signs of
unauthorized access to customers' payment card data from cards manually
entered or swiped at the front desk of some Hyatt-managed locations between
18 March and 2 July.

The largest number of Hyatt properties impacted were based in China with 18
hotels and Mexico with 4 hotels. Seven Hyatt properties in the US were
impacted in the point-of-sale (PoS) breach including three resorts in
Hawaii, three in Puerto Rico and one in Guam.

The compromised customer information included cardholder names, card
numbers, expiration dates and internal verification codes. Hyatt said it
launched a "comprehensive investigation" into the breach and is working
with leading third-party experts, payment card networks and authorities.

"Based on our investigation, we understand that such unauthorized access to
card data was caused by an insertion of malicious software code from a
third party onto certain hotel IT systems," Hyatt's global president of
operations, Chuck Floyd, said in a statement. "Our enhanced cybersecurity
measures and additional layers of defence implemented over time helped to
identify and resolve the issue."

He has added that there is currently no indication that any other
information was affected in the breach.

Hyatt has advised all customers who visited one of their hotels for any
unauthorized charges or suspicious behaviour. The company has not specified
how many customers were potentially affected in the breach.

"While we estimate that the incident affected a small percentage of payment
cards used by guests who visited the group of affected Hyatt hotels during
the at-risk time period, the available information and data does not allow
Hyatt to identify each specific payment card that may have been affected,"
Floyd said, noting that the Chicago-based company has taken measures to
prevent this from happening in the future.

"This incident is something we take seriously, and we are sorry for the
inconvenience and concern this may cause our guests."

This is the second time Hyatt has suffered a data breach in less than two
years.

In late 2015, Hyatt said its payment processing system was infected with a
malicious card-stealing malware that impacted 250 hotels in around 50
countries.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171013/d7f1acca/attachment.html>