Just in time for Christmas, Hyatt is notifying customers that their payment card data may have been compromised by malware-wielding cybercriminals. The major hotel chain is thus encouraging its customers "to review payment card account statements closely."
Hyatt says in a Dec. 23 statement saying that it recently "identified malware on computers that operate the payment processing systems for Hyatt-managed locations." The company says it launched a related investigation when the point-of-sale malware was detected, brought in third-party digital-forensic investigators, and that the related breach investigation remains ongoing.
"Protecting customer information is of critical importance to Hyatt, and we take the security of your payment card data very seriously."
Chicago-based Hyatt, which is controlled by the billionaire Pritzker family, says that in the wake of the breach it has "taken steps to strengthen the security of its systems," although does not detail what those steps might be.
Hyatt spokeswoman Stephanie Sheppard tells me that the hotel chain detected the POS malware infection on Nov. 30. But she declined to comment on my request for more details relating to the breach, including when it was first detected or how many of its 627 hotels - across 52 countries - might have been affected. Likewise, the hotel chain has not detailed how many customers may have been affected, or whether card issuers have yet detected related signs of fraud.
"The investigation is ongoing, and we will have more to share, such as scope, when the investigation is complete," Sheppard says.
But representatives at a call center set up to field related inquiries report that stolen information may have included payment cardholders' names, as well as card numbers, expiration dates and verification codes, Reuters reports. It adds that cybersecurity firm FireEye says that it was hired to investigate the breach. FireEye didn't immediately respond to a request for comment, although its Mandiant unit is one of the biggest breach-investigation service providers.
If Hyatt's breach notification is light on specifics, there is one message it tries to make loud and clear: "Customers can feel confident using payment cards at Hyatt hotels worldwide." In another bit of marketing speak, the Web page set up by the hotel to detail the results of the ongoing investigation into the Hyatt data breach is called "Protecting our Customers."
Finally, in what's now become such a de rigueur "we lost your data" disclaimer that it's clichÃ©, Chuck Floyd, global president of operations for Hyatt, says in a post-breach statement: "Protecting customer information is of critical importance to Hyatt, and we take the security of your payment card data very seriously."
Hotel Malware-Infection Epidemic
With its breach alert, Hyatt becomes the fourth major hotel chain in two months to warn that it may have suffered a POS malware infection, following:
- Trump Hotels: The hotel chain warned Sept. 29 that its POS systems had been malware-infected for more than a year.
- Starwood Hotels and Resorts: On Nov. 20, Starwood warned that malware had infected some of its restaurants, gift shops and other POS systems. At the time, card issuers reported that they suspected that there appeared to be another - separate - major breach also affecting the United States.
- Hilton: The hotel chain warned Nov. 24 that it suffered intermittent POS malware breaches in 2014 and 2015.
What Infections Often Reveal
Hyatt has not detailed what type of POS malware was used in the attack. But functionally speaking, security experts say there are often scant differences between different POS malware families.
Rather, a company's admission that it suffered a POS malware attack may speak to its failure to safeguard POS devices by changing their default passwords or running them on segmented networks, according to security expert Charles Henderson (see Why POS Malware Still Works). Using segmented networks in particular can help block unauthorized access to POS devices as well as data exfiltration attempts in the event of a breach, and not just for payment card data (see 5 Secrets to Security Success).
While the United States is in the process of adopting EMV-compatible payment cards, security experts say that POS malware can still steal payment card details, allowing criminals to buy and sell the stolen data, which can still be used for "card not present" fraud (see Why U.S. EMV Migration Will Spur Global Fraud Shift).
Note: This story has been updated with Hyatt spokeswoman Stephanie Sheppard's comments.