Hyatt Breach: 250 Hotels, 50 CountriesPOS Malware Checked In, Stayed For Four Months
Hyatt Hotels says it's concluded its investigation into the payment card data breach that it first discovered in November 2015, and reports that malware infected 250 of its locations across 50 countries (see Hyatt Falls to POS Malware Infection).
The Chicago-based hotel chain says that anyone who used a payment card at one of the affected properties last year from July 30 to Dec. 8 was potentially affected. The affected properties are located everywhere from Argentina and Armenia to the United Kingdom and Vietnam. In the United States, 100 hotels in 26 different states were affected.
Hyatt first publicly disclosed the breach on Dec. 23. The firm tells Information Security Media Group that it hired third-party digital forensic investigators and information security expert Mandiant and Kroll to help it investigate the intrusion and better lock down its security processes, procedures and technology.
As of Jan. 14, the hotel reports that the related investigation has concluded, that it has notified relevant country and state regulators, and that it's continuing to work with the FBI, thus suggesting that the bureau has launched a related, criminal probe.
"The investigation identified signs of unauthorized access to payment card data from cards used onsite at certain Hyatt-managed locations, primarily at restaurants, between August 13, 2015, and December 8, 2015," says Chuck Floyd, global president of operations for Hyatt Hotels Corporation, in a security update posted to Hyatt's website. "A small percentage of the at-risk cards were used at spas, golf shops, parking, and a limited number of front desks, or provided to a sales office during this time period. The at-risk window for a limited number of locations began on or shortly after July 30, 2015."
Investigators found that the malware collected data from cards used onsite - rather than online - and that it was able to steal cardholder names, card numbers, card expiration dates as well as internal verification codes "as the data was being routed through affected payment processing systems," Hyatt says. But the hotel chain doesn't believe that any other information - such as customers' mailing addresses or email addresses - was compromised by attackers.
Hyatt says that it doesn't know exactly which type of malware hit it. "We are not aware that the malware has been named, and we do not know the number of customers or payment cards affected at this time," spokeswoman Stephanie Sheppard tells ISMG.
The hotel has published a list of affected properties. The company manages about 630 properties in total, meaning that the breach affected one-third of its locations.
"We want to assure customers that we took steps to strengthen the security of our systems in order to help prevent this from happening in the future," Floyd says.
Hyatt Attempts to Notify Affected Customers
The hotel chain is reaching out to affected customers directly, whenever possible. "For at-risk transactions where a cardholder's name was affected, we are in the process of mailing letters to customers for whom we have a mailing address and sending emails to customers for whom we only have an email address," according to a related Hyatt breach FAQ. "However, we do not have sufficient information to be able to identify and contact all potentially affected individuals, which is why we encourage customers to reference the list of affected locations and respective at-risk dates." And the hotel chain says cardholders should contact payment-card issuers directly if they suspect that they've been the victim of payment card fraud.
But customers whose payment card data was stolen could still be targeted by fraudsters in the future, for example if their payment card details get sold online and used to commit online fraud or to create fake cards for in-person purchases. Hyatt says it's still working with relevant card issuers to identify all of the cardholders who might be at risk (see Banks Reacting Faster to Card Breaches). "We are continuing to work closely with payment card companies to identify potentially affected cards so that the banks that issued those cards can be made aware and initiate heightened monitoring of those cards," the company says in its FAQ.
Hyatt says that it is offering affected cardholders one year of prepaid identity theft monitoring services from TransUnion's CSID service for both U.S. as well as international breach victims. CSID was also been tapped by the U.S. Office of Personnel Management (see OPM Breach Numbers "Enormous").
Hotel POS Malware Breach Epidemic
While Hyatt has yet to detail how the attack happened - or what steps it's taken to prevent a reoccurrence - security experts have recommended that all organizations ensure they've segmented their networks, changed default passwords on POS devices and that they constantly monitor for signs of data exfiltration (see Why POS Malware Still Works).
Hyatt, meanwhile, is only one of many hotel chains that in recent months have warned customers that their payment-card data was compromised by a POS malware infection. Other recent data breach victims include Trump Hotels, which disclosed a year-long breach in September 2015; Starwood Hotels and Resorts, which reported a POS malware breach in November 2015; and Hilton, which issued a warning the same month saying that it had suffered intermittent POS malware breaches throughout 2014 and 2015.