In a developing story Hyatt Hotels has released an update on Jan. 14 about a previously disclosed breach of payment cards at some of its properties. The extensive investigation discovered that more than 250 hotels in 50 countries were affected and that while the majority of compromised point-of-sale (POS) machines were primarily at restaurants, the breach also included some front desk and sales office systems. The addition of non-retail systems plus the sheer number of hotels and countries makes this possibly the largest and wide-ranging hotel chain cyber breach. It is unclear how many people may have been affected.
The Hyatt Hotel chain is just one of a growing number of hotel POS breaches which now includes the Trump Collection, Hilton, Starwood, White Lodging and Mandarin. As with the other hotel chains, the unauthorized access to payment card data dated back to mid-July 2015 with the majority of problems ranging from August through Dec. 8, 2015. Besides restaurants, the compromised cards had been used at spas, golf shops and parking. The breach of cards used to make payments at the front desk and to the sales office began on or shortly after July 30, 2015 according to a release from Chuck Floyd, Global President of Operations for Hyatt Hotels Corp.
Investigators found the malware collected cardholder names, card numbers, expiration dates and internal verification code as it was being routed through the infected processing systems. No other customer information such as address, loyalty programs or Social Security numbers is at risk. Hyatt has provided a list of affected locations in the FAQ section of its website. The company is mailing out letters to all customers that may be affected or emailing those for whom it only has email addresses.
While the general public might be wondering why the upswing of breaches at hotel properties, security experts continue to point out that cyber thieves continue to shift their attacks to “low-hanging fruit.” Big box retailers such as Target who were hit several years ago have for the most part switched to the new chip card POS machines. The chip encrypts the card data and makes it much more difficult and expensive for thieves to counterfeit cards.
Hotels are attractive due to the high volume of transactions they process. Hotels process billions of transactions globally each year, not just in terms of room payments but also in all the amenities provided at upscale properties. Restaurants, fast-food outlets, high-end boutiques, beauty shops, spas, bars, and even gift shops for travelers who wish to purchase toiletries and robes prepared especially for the hotel chain.
Unlike retail store breaches that cater to local customers, hotels draw from a global community of spenders. That makes it harder to pinpoint which retailer has exposed customers’ cards. Many retailers have only discovered their systems were breached after being notified by law enforcement.
Brian Krebs discussed a communication failure that has lead to delayed notification. “Many financial institutions have squandered a great deal of their resources trying to figure out which retailers are exposing their customers’ cards. That’s because Visa, MasterCard and the other card associations won’t tell banks which retailers have been hit; they just send them incessant updates about specific card numbers that were suspected to have been compromised in a breach somewhere. It’s then up to the banks to work backwards from the breached cards and triangulate which merchants show up most frequently in a batch of given cards.”
Krebs has unique view of the problem. “All of this probably explains why on any given week I’m contacted by anti-fraud personnel at various banks across the country, asking if I can help them divine the source of some card fraud pain they’re experiencing. As a journalist, this is a bit of a surreal situation, but I can’t complain much: It has allowed this author to break story after story about card breaches in the retail sector over the past two years.”