Hyatt Hotels recently announced that its payment systems were breached. This exposed data from 41 hotels in 11 countries. This breach took place at Hyatt-managed hotels worldwide between March 18, 2017 and July 2, 2017. The investigation was concluded very recently.
Seven properties in United States were affected by this breach, with China bearing the maximum impact of the breach. Close to 18 properties were affected in China.
The company said that its cybersecurity team discovered this breach in July and started an investigation. The issue was recently resolved, and the team took steps to prevent this from happening in the future.
“Based on our investigation, we understand that such unauthorized access to card data was caused by an insertion of malicious software code from a third party onto certain hotel IT systems,” Hyatt said in a customer letter.
According to Steve Moore, Exabeam’s vice president and chief security strategist, the point-of-sale computer may have been the entryway for the malware.
The sensitive customer information that could have been exposed includes payment card information details, such as cardholder name, card number, expiration date and “internal verification code,” presumably the three-digit code on the back.
The company did not specify the exact number of people who could be affected by the breach. “While we estimate that the incident affected a small percentage of payment cards used by guests who visited the group of affected Hyatt hotels during the at-risk time period, the available information and data does not allow Hyatt to identify each specific payment card that may have been affected,” Hyatt said in a statement.
Hyatt has advised any customers who may have visited one of their hotels to check their cards for any unauthorized access.
In 2015, Hyatt was affected by a similar kind of a breach in which its payment processing system was infected with credit card-stealing malware. At that point in time, the breach affected 250 hotels across 50 countries.