Following an investigation into a breach of its payment processing systems, Chicago-based hotel operator Hyatt Hotels has determined that the incident affects 250 hotels worldwide.
According to the company, the investigation revealed unauthorized access to data associated with payment cards used at Hyatt-managed locations, mainly restaurants, between August 13, 2015 and December 8, 2015. Hyatt says a small percentage of the exposed cards were used at golf shops, spas, parking, front desks, or had been provided to sales offices.
For a limited number of locations, attackers might have breached systems on or shortly after July 30, 2015.
The hotels hit by the breach are located in Argentina, Armenia, Aruba, Australia, Austria, Azerbaijan, Brazil, Cambodia, Canada, Chile, China, Costa Rica, Egypt, France, Germany, Greece, Guam, Hong Kong, India, Indonesia, Italy, Japan, Jordan, Macau, Malaysia, Maldives, Mexico, Morocco, Nepal, Netherlands, the Mariana Islands, Oman, Panama, Philippines, Puerto Rico, Qatar, Russia, Saudi Arabia, Serbia, Singapore, South Africa, South Korea, Switzerland, Taiwan, Tajikistan, Tanzania, Thailand, Trinidad and Tobago, Turkey, Ukraine, UAE, the UK, the US, and Vietnam.
The highest number of affected locations are in China (22 hotels), India (20 hotels) and the United States (99 hotels). Only the Hyatt Regency in Boston is listed as being impacted since July 30.
Hyatt said the malware found on its systems was designed to collect cardholder names, card numbers, expiration dates and internal verification codes. The malware collected the data as it passed through infected payment processing systems. There is no evidence that other customer information has been compromised, the hotel operator said.
Hyatt noted that it has notified appropriate country and state regulators, and it has been working with the FBI to investigate the incident. The company is working on notifying affected customers via snail mail and email. Customers for whom Hyatt does not have any contact information are advised to check the list of affected hotels to determine if they are impacted.
Affected individuals have been offered one year of free fraud protection services via CSID.
“Though it is common to see malware capture credit cards at the time of the swipe, in this instance, the malware collected card data while it was being routed through the affected payment processing systems, according to Hyatt’s statement,” said Brad Cyprus, chief of security and compliance at Netsurion, a provider of remotely-managed security services for multi-location businesses.
“2016 is picking up right where we left off last year, with more evidence of the IT security threat the hospitality industry is facing. In the New Year, these businesses, from individually owned hotels to large, national chains, should resolve to strengthen security postures. For many, the best way to accomplish that goal is to partner with a managed data and network security provider,” Cyprus said in an emailed statement.