Hyatt made an announcement late last month (access here) that it had detected malware on some of its hotels and is investigating the breach.
Hyatt made an update yesterday where it acknowledged that half of the properties were affected including many international properties. With Hyatt the malware had infected even some of the front desk systems used to pay for the stays.
You can access the announcement on Hyatt’s website here:
Protecting customer information is critically important to Hyatt. We have been working tirelessly to complete our previously announced investigation regarding malware that targeted payment card data used at Hyatt-managed locations. We now have more complete information we want to share so that you can take steps to protect yourself.
The investigation identified signs of unauthorized access to payment card data from cards used onsite at certain Hyatt-managed locations, primarily at restaurants, between August 13, 2015 and December 8, 2015. A small percentage of the at-risk cards were used at spas, golf shops, parking, and a limited number of front desks, or provided to a sales office during this time period. The at-risk window for a limited number of locations began on or shortly after July 30, 2015.
The malware was designed to collect payment card data – cardholder name, card number, expiration date and internal verification code – from cards used onsite as the data was being routed through affected payment processing systems. There is no indication that other customer information was affected.
The list of affected Hyatt locations and respective at-risk dates is available here. Additionally, for at-risk transactions where a cardholder’s name was affected, we are in the process of mailing letters to customers for whom we have a mailing address and sending emails to customers for whom we only have an email address.
We worked quickly with leading third-party cyber security experts to resolve the issue and strengthen the security of our systems in order to help prevent this from happening in the future. We also notified law enforcement and the payment card networks. Please be assured that you can confidently use payment cards at Hyatt hotels worldwide.
Most importantly, we encourage you to remain vigilant and to review your payment card account statements closely. You should report any unauthorized charges to your card issuer immediately. Speak to your card issuer for details because, while card issuers’ policies related to fraud may vary, payment card rules generally provide that cardholders are not responsible for unauthorized charges reported in a timely manner.
Additionally, Hyatt has arranged for CSID to provide one year of CSID’s Protector services to affected customers at no cost to them. CSID is one of the leading providers of fraud detection solutions and technologies. In order to activate CSID’s Protector coverage, affected customers in the U.S. may visit www.csid.com/hyatt-us and affected customers outside the U.S. may visit www.csid.com/hyatt-intl to complete a secure sign up and enrollment process. You should also review the additional information in the Reference Guide on ways to protect yourself.
If you have questions or would like more information, please call 1-877-218-3036 (U.S. and Canada) or +1-814-201-3665 (International) from 7 a.m. to 9 p.m. EST.
Please be assured that we take the security of customer data very seriously. We deeply regret the inconvenience and any concern this may have caused you.
Global President of Operations
Hyatt Hotels Corporation
This is really really serious. Half of the hotels were affected with the malware including some of the front desk systems? Why Hyatt is not emailing the guests who had stayed at these properties informing them about the risks to their credit cards?
Visa, MasterCard and Amex should take stronger action towards these merchants that cannot safeguard the credit card information and make them to pay for the loses other merchants are now facing due to Hyatt’s inability to keep credit card info secure.