Security Experts:

Connect with us

Hi, what are you looking for?


Fraud & Identity Theft

Card Breach Affects 250 Hyatt Hotels Worldwide

Following an investigation into a breach of its payment processing systems, Chicago-based hotel operator Hyatt Hotels has determined that the incident affects 250 hotels worldwide.

Following an investigation into a breach of its payment processing systems, Chicago-based hotel operator Hyatt Hotels has determined that the incident affects 250 hotels worldwide.

According to the company, the investigation revealed unauthorized access to data associated with payment cards used at Hyatt-managed locations, mainly restaurants, between August 13, 2015 and December 8, 2015. Hyatt says a small percentage of the exposed cards were used at golf shops, spas, parking, front desks, or had been provided to sales offices.

For a limited number of locations, attackers might have breached systems on or shortly after July 30, 2015.

The hotels hit by the breach are located in Argentina, Armenia, Aruba, Australia, Austria, Azerbaijan, Brazil, Cambodia, Canada, Chile, China, Costa Rica, Egypt, France, Germany, Greece, Guam, Hong Kong, India, Indonesia, Italy, Japan, Jordan, Macau, Malaysia, Maldives, Mexico, Morocco, Nepal, Netherlands, the Mariana Islands, Oman, Panama, Philippines, Puerto Rico, Qatar, Russia, Saudi Arabia, Serbia, Singapore, South Africa, South Korea, Switzerland, Taiwan, Tajikistan, Tanzania, Thailand, Trinidad and Tobago, Turkey, Ukraine, UAE, the UK, the US, and Vietnam.

The highest number of affected locations are in China (22 hotels), India (20 hotels) and the United States (99 hotels). Only the Hyatt Regency in Boston is listed as being impacted since July 30.

Hyatt said the malware found on its systems was designed to collect cardholder names, card numbers, expiration dates and internal verification codes. The malware collected the data as it passed through infected payment processing systems. There is no evidence that other customer information has been compromised, the hotel operator said.

Hyatt noted that it has notified appropriate country and state regulators, and it has been working with the FBI to investigate the incident. The company is working on notifying affected customers via snail mail and email. Customers for whom Hyatt does not have any contact information are advised to check the list of affected hotels to determine if they are impacted.

Affected individuals have been offered one year of free fraud protection services via CSID.

“Though it is common to see malware capture credit cards at the time of the swipe, in this instance, the malware collected card data while it was being routed through the affected payment processing systems, according to Hyatt’s statement,” said Brad Cyprus, chief of security and compliance at Netsurion, a provider of remotely-managed security services for multi-location businesses.

“2016 is picking up right where we left off last year, with more evidence of the IT security threat the hospitality industry is facing. In the New Year, these businesses, from individually owned hotels to large, national chains, should resolve to strengthen security postures. For many, the best way to accomplish that goal is to partner with a managed data and network security provider,” Cyprus said in an emailed statement.

The list of hotel operators targeted by cybercriminals last year includes Mandarin Oriental Hotel Group, White Lodging Services, Trump Hotel Collection, Hilton and Starwood Hotels.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...


Pig Butchering, also known as Sha Zhu Pan and CryptoRom, is an ugly name for an ugly scam.


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.


Spanish and US authorities have dismantled a cybercrime ring that defrauded victims of more than $5.3 million.


Australian authorities sentence Sydney man for using leaked data stolen from wireless carrier Optus to conduct SMS scams.

Application Security

After skipping last month, Adobe returned to its scheduled Patch Tuesday cadence with the release of fixes for at least 38 vulnerabilities in multiple...