Late in the evening a few days ago (right before Christmas), I saw a notification pop up that Hyatt Hotels had suffered a data breach. As in the past, Krebs on Security had some information on their website, but not much. Rather than write a post then, I decided to wait a bit to see if there was more detail coming.
After a few days of waiting, all we really have so far is a very basic statement from Hyatt:
Protecting customer information is of critical importance to Hyatt, and we take the security of your payment card data very seriously. We recently identified malware on computers that operate the payment processing systems for Hyatt-managed locations. As soon as we discovered the activity, we launched an investigation and engaged leading third-party cyber security experts.
The investigation is ongoing, and updates will be posted here at www.hyatt.com/protectingourcustomers. We have taken steps to strengthen the security of our systems, and customers can feel confident using payment cards at Hyatt hotels worldwide.
As always, we encourage customers to review their payment card account statements closely and to report any unauthorized charges to their card issuer immediately. Payment card rules generally provide that cardholders are not responsible for unauthorized charges that are timely reported.
When Starwood had a similar looking breach a few months back, they provided a good amount of specificity, even going so far as to note properties that were compromised and which systems on property were likely to have been compromised. That level of detail was very helpful to customers.
I’d like to give Hyatt the benefit of the doubt here and say that they’re still investigating this, hence the lack of detail. It’s possible they were in the process of investigating when there was a leak about the problem so they put out a generic statement for the time being.
That’s my hope, because the information provided so far isn’t sufficient to give customers comfort about their personal information.
Most of you know Hyatt is my favorite hotel chain, and some accuse me of being soft on them. I don’t think I do that, but it would be foolish for me to say a bias couldn’t possibly exist. But, I don’t think my position on this issue will have anyone screaming that I’m giving Hyatt a pass here.
Even in an era where data breaches are the norm, Hyatt needs to provide more information on the size and scope of this breach. If they believe doing so today would compromise any existing loopholes in their system, then they should provide an accurate timeline on when more information will be forthcoming.
The bottom line is Hyatt needs to provide more data to their customers here.