The Chicago-based Hyatt Hotels Corporation identified signs of unauthorized access to payment-card information used at some 41 hotels in 11 countries from March 18, 2017 to July 2, 2017.
Five of the Hyatt properties affected by the breach included U.S. locations, three resorts in Hawaii and one each in Guam and Puerto Rico. The nation with the largest number of affected Hyatt properties was China with 18.
It is the second major incident with the hospitality chain in the last two years. Hyatt identified signs of data theft from payment cards used at some 250 Hyatt-managed locations, primarily restaurants, in 50 countries from August through December 2015.
The hotel chain said the latest incident affected payment card information – cardholder name, card number, expiration date and internal verification code – from cards manually entered or swiped at the front desk of certain Hyatt-managed locations. It added there is no indication that any other information was involved.
“Upon discovery, we launched a comprehensive investigation to understand what happened and how this occurred, which included engaging leading third-party experts, payment card networks and authorities,” the company said in a statement. “Hyatt’s layers of defense and other cybersecurity measures helped to identify and resolve the issue. While this incident affects a small percentage of total payment cards used at the affected hotels during the at-risk dates.
In August 2016 NAFCU President and CEO Dan Berger issued a statement following a string of hotel breaches including HEI Hotels & Resorts, Hyatt Hotels and Starwood Hotels & Resorts: “These hotel data breaches, many of which are repeat offenses, as well as the latest data breach to Oracle’s point-of-sale systems, affirm the urgency with which Congress needs to pass strong national data security standards for retailers.”
Brian Krebs, in his blog KrebsOnSecurity, said: “Organized crime groups (most notably the Carbanak gang) have been targeting customer service and reservations specialists at various hospitality chains with tailored social engineering attacks that involve well-aged fake companies and custom malware.”
John Christly, global CISO, Netsurion, and EventTracker, active on PCI SSC, maintained, “There is a common thread among hotel breaches. Hackers are targeting hotels because of the type of POS systems utilized.” Christly added these are often integrated POS environments running applications that are not as secure as modern, hardened payment terminals designed to capture and encrypt payment data. “Hotel systems send the data to the back office instead of directly to the payment processor, adding an additional step that creates weakness in the hotel POS system.”
In addition, there are large volumes of payment card transactions between restaurants, on-site shops, spas, parking, and the front-desk, ensuring there is plenty of customer data for a hacker to compromise. Christly listed the top five virtual attacks that hotel brands and franchisees must prepare against:
- Ransomware.
- Remote hacking through third-party vendors.
- Phishing scams targeting customers and hotels.
- DDoS attacks on the hotel network.
- Theft of personal information over public Wi-Fi.
“Given the array of digital threats facing hotels, it is imperative that these organizations protect their networks from attack to prevent disruptions in service or, worse yet, jeopardizing the safety of employees and guests. Statistics indicate that such incidents will become more frequent, so it is not a matter of if but when the next cyberattack will occur,” Christly added.
