Continuing a growing trend of payment card breaches in the hospitality industry, two recent breaches exposed significant amounts of customer data at restaurants across the U.S. and at hotels worldwide.
On October 14, U.S. restaurant chain Pizza Hut began notifying approximately 60,000 U.S. customers that their names, delivery addresses, zip codes, email addresses, payment card numbers, expiration dates and CVV numbers may have been exposed when the company’s website was breached, the Sacramento Bee reports.
“We have learned that the information of some customers who visited our website or mobile application during an approximately 28-hour period (from the morning of October 1, 2017 through midday on October 2, 2017) and subsequently placed an order may have been compromised,” the company stated in a notification letter [PDF] to those affected.
“Upon becoming aware of the security intrusion we immediately took steps to halt it, including engaging external cybersecurity consultants to help investigate the nature of the intrusion and take steps to remediate the issue, as well as to prevent recurrence,” the company added.
Lastline senior security researcher Marco Cova told eSecurity Planet by email that the delay between the breach on October 1 and 2 and the notification on October 14 indicates that some best practices were not followed. “Waiting two weeks to inform the users affected means that the individuals were unable to block or change their cards, which in turn meant that the fraudulent data stolen facilitated further cybercrime in the form of credit card fraud, which is always the worry with data breaches,” he said.
“Companies should learn from this mistake, and should endeavor to tell the individuals what’s happening as soon as possible, and invest in the appropriate breach detection services to stop cybercriminals before they access the data in the first place,” Cova added.
The Hyatt Breach
Separately, on October 12, Hyatt Hotels began notifying an undisclosed number of customers that the company had “discovered signs of and resolved authorized access to payment card information from cards manually entered or swiped at the front desk of certain Hyatt-managed locations between March 18, 2017 and July 2, 2017.”
A list of affected hotels can be viewed here.
“Based on our investigation, we understand that such unauthorized access to card data was caused by an insertion of malicious software code from a third party onto certain hotel IT systems,” the company stated. “Our enhanced cybersecurity measures and additional layers of defense implemented over time helped to identify and resolve the issue.”
Early last year, Hyatt announced that a separate breach had exposed payment card data at a total of 250 hotels worldwide.
NuData Security marketing director Lisa Baergen said by email that while this recent breach hit fewer North American locations that the previous one, it appears to have affected properties in every country where Hyatt does business. “The harvested customer payment card data — including expiration dates and verification codes — is extremely valuable data that will be sold on the Dark Web or used in credit card cycling scams,” she said.
“This latest concerning breach is just one more reason why companies such as Hyatt must adopt more advanced security and authentication measures based on trusted identity, and consumers must diligently, routinely check their credit files for suspicious credit applications and consider freezing their credit profiles,” Baergen added.