Hyatt Hotels recently announced that it had completed its investigation into a breach of its payment processing system that was first detected on November 30, 2015.
The investigation found that the attackers used malware to collected cardholder names, card numbers, expiration dates and verification codes from systems at a total of 250 hotels worldwide — a list of affected hotels can be viewed here.
“The investigation identified signs of unauthorized access to payment card data from cards used onsite at certain Hyatt-managed locations, primarily at restaurants, between August 13, 2015 and December 8, 2015,” Chuck Floyd, Hyatt global president of operations, said in a statement. “A small percentage of the at-risk cards were used at spas, golf shops, parking, and a limited number of front desks, or provided to a sales office during this time period. The at-risk window for a limited number of locations began on or shortly after July 30, 2015.”
“We worked quickly with leading third-party cyber security experts to resolve the issue and strengthen the security of our systems in order to help prevent this from happening in the future,” Floyd added. “We also notified law enforcement and the payment card networks. Please be assured that you can confidently use payment cards at Hyatt hotels worldwide.”
Brands operated by the Hyatt Hotels Corporation include Hyatt, Park Hyatt, Andaz, Grand Hyatt, Hyatt Centric, Hyatt Regency, Hyatt Place, Hyatt House, Hyatt Zilara, Hyatt Ziva, Hyatt Residences and Hyatt Residence Club.
All those affected are being offered one year of free access to CSID‘s Protector fraud restoration services. Hyatt is in the process of notifying all affected customers for whom it has a mailing address or email address.
Mark Bower, global director of product management for enterprise data security at HPE Security – Data Security, told eSecurity Planet by email that hotels face a particular challenge regarding customer data security at the point of sale (POS).
“Card-on-file transactions are common, meaning card data is often stored longer than typical, to maintain customer bookings and for resort service charges after check-in,” Bower said. “Online booking systems often channel card data from various sources and third parties over the internet, creating additional possible points of compromise. Partner booking systems accessing the hotel platforms also present additional risks and malware paths for entry to data processing systems to steal sensitive information.”
And Bower said it’s worth noting that the majority of the stolen data in the Hyatt breach came from hotel restaurants. “These are often integrated POS environments running applications in an environment that is not as secure as modern hardened payment terminals designed to capture payment data and implement encryption independent from the POS itself,” he said. “Such POS systems are thus a target for payment specific malware.”
Still, Bower said, many organizations have improved POS security with new card reading systems that encrypt the data before it arrives at the POS. “Given the need to update the POS to handle EMV chip cards, the addition of encryption to protect the sensitive data from all forms of payment card is a no-brainer,” he said. “If the POS is compromised with this approach, the attackers get nothing. This data-centric approach is realistically the only way to avoid POS malware impact. Traditional approaches of monitoring and anti-virus will only be effective until the next undetectable malware arrives.”