Hyatt Hotels Corp confirmed earlier today that attackers had breached into its systems and gained unauthorized access to the customer payment card information at certain locations worldwide. The criminals continued to have this access between March 18, 2017 and July 2, 2017. Affecting 41 hotels in 11 countries, the investigation has only been concluded now.
Hyatt asks you to "feel confident using payment cards"
In a statement, the company wrote that Hyatt has "implemented additional security measures to strengthen the security of our systems." It added that "customers can confidently use payment cards at Hyatt hotels worldwide." However, it is doubtful if customers can be confident anymore since their information has already being stolen by hackers from Hyatt, not once but at least twice.
The global hotel chain was breached once before in 2015 when it had said that malware had infected some "computers that operate the payment processing systems for Hyatt-managed locations." At the time, the firm had also claimed to have "taken steps to strengthen the security of its systems, and customers can feel confident using payment cards at Hyatt hotels worldwide."
The hackers were apparently able to get into the same systems again this year and the intrusion went undetected for months. The hotel chain has said that the intrusion was made possible using malicious files that were inserted by "a third party" on certain systems.
"Upon discovery, we launched a comprehensive investigation to understand what happened and how this occurred, including engaging leading third-party experts, payment card networks and authorities. Based on our investigation, we understand that such unauthorized access to card data was caused by an insertion of malicious software code from a third party onto certain hotel IT systems. Our enhanced cybersecurity measures and additional layers of defense implemented over time helped to identify and resolve the issue."
The company also seems to believe that payment information is not big enough of a deal as no other information was exposed. Chuck Floyd, Global President of Operations, wrote that he assures customers that no information beyond payment details was leaked. "There is no indication that information beyond that gained from payment cards - cardholder name, card number, expiration date and internal verification code - was involved," he wrote. "Guests can feel confident using payment cards at Hyatt hotels worldwide."
The owner of Andaz, Park Hyatt and Grand Hyatt chain of hotels disclosed that seven Hyatt properties were affected in the United States, including three in Hawaii, three in Puerto Rico and one in Guam. China is the most affected with over 18 properties being impacted by this breach.
The Chicago-based company said that since it cannot "identify each specific payment card that may have been affected," the company may not be able to notify all the guests. However, it did add that it is contacting the guests for whom the corporation has "appropriate contact information that checked in to an affected hotel during the at-risk dates."
If you checked into a Hyatt property between March 18 and July 2 (or at any time, looking at the company's history), better look out for someone charging your card without your authorization. The company has recommended to contact your "financial institution" if you see any "unusual activity on your account statement," since Hyatt won't be offering you any further help.
- List of affected Hyatt properties is available here.