Hyatt Corp. has announced that payment card information of customers at several of its hotels was accessed by hackers between March and July.
Hyatt’s admission comes three months after the breach took place and this is the second such breach suffered by the hotel chain in two years.
Between March and July of this year, suspected hackers were able to access payment card information for customers at several Hyatt hotels located in China, Brazil, the United States, India, Japan, Malaysia and several other countries. In all, a total of 41 properties across 11 countries were affected by the breach.
In a press statement, Hyatt Corp. announced that hackers were able to access details of payment cards which were either swiped or manually entered at the front desk of the affected hotels. Details accessed by the hackers included cardholder names, card numbers, verification codes and expiration dates, which are enough for malicious hackers to perform financial transactions online.
“Upon discovery, we launched a comprehensive investigation to understand what happened and how this occurred, which included engaging leading third-party experts, payment card networks and authorities.
“Hyatt’s layers of defense and other cybersecurity measures helped to identify and resolve the issue. While this incident affects a small percentage of total payment cards used at the affected hotels during the at-risk dates,” said the hotel group.
This is the second such breach suffered by Hyatt Corp. in as many years. Back in 2015, hackers were able to access credit card systems at 250 Hyatt hotels across 50 countries for as long as four months without getting detected. Fortunately, none of the Hyatt properties in the UK were breached in 2015 or this year.
Hyatt Corp. now joins a number of renowned hotel chains which suffered incidents of data breach and loss of customer data this year. In April, UK-based InterContinental Hotels Group announced that between September 29 and December 29 of last year, hackers stole a large number of customer card details from a number of its locations by hacking into IHG’s payment servers.
Between August 2016 and March this year, hackers were also able to steal sensitive details of guests at 14 Trump hotels after conducting a cyber-attack on Sabre Hospitality Solutions’ Central Reservation system. The cyber-attack, which lasted eight months, compromised details of guests at several hotel chains including Trump Hotels, Hard Rock Hotels, Loews Hotels and the Four Seasons hotels and resorts. In all, details stored by over 500 companies on Sabre Hospitality Solutions’ Central Reservation system were breached.
‘The specific infection point from ‘cards manually entered or swiped at the front desk’ reminds me of several already public cases. Adversaries would call the front desk complaining of an issue and send an email with ‘supporting information’,’ said Stephen Moore, chief security strategist at Exabeam.
‘The email would contain a VBScript or macros that download malware, and continue with password stealing and enabling remote desktop. That Hyatt has said this is a ‘front desk’ breach leads credibility to this attack vector.
‘Alternatively, physical access could have resulted in a similar initial infection, using old methods such as “may I use your computer?” then compromising the system, or even tossing about malware laden USB drives that security unaware staff foolishly plug into their computers,’ he added.