I meant to post this last week, so you may have already read it elsewhere. But, I figured it was widespread enough that it was worth posting to make sure everyone knew if they were affected.
Hyatt announced a data breach just about a month ago but didn’t have a ton of details to provide us. At the time, I stressed how important it was that Hyatt get us more information quickly. It’s taken longer than I would have preferred, but there’s a lot more information now. One thing I will give them credit for is parking a spot on the home page with an alert to the issue:
The investigation identified signs of unauthorized access to payment card data from cards used onsite at certain Hyatt-managed locations, primarily at restaurants, between August 13, 2015 and December 8, 2015. A small percentage of the at-risk cards were used at spas, golf shops, parking, and a limited number of front desks, or provided to a sales office during this time period. The at-risk window for a limited number of locations began on or shortly after July 30, 2015.
The malware was designed to collect payment card data – cardholder name, card number, expiration date and internal verification code – from cards used onsite as the data was being routed through affected payment processing systems. There is no indication that other customer information was affected.
They’ve set up a separate page where you can view the list of properties affected by country. Poking around a bit, it covers many hotels for this 5-month period. Here’s the list of California hotels affected:
25 states and the District of Columbia had properties affected, as well as a couple dozen other countries.
This would seem to affect a large number of guests given the timeframe and number of properties. Hyatt is offering fraud protection to those affected:
Additionally, Hyatt has arranged for CSID to provide one year of CSID’s Protector services to affected customers at no cost to them. CSID is one of the leading providers of fraud detection solutions and technologies. In order to activate CSID’s Protector coverage, affected customers in the U.S. may visit www.csid.com/hyatt-us and affected customers outside the U.S. may visitwww.csid.com/hyatt-intl to complete a secure sign up and enrollment process. You should also review the additional information in the Reference Guide on ways to protect yourself.
The credit card companies do a pretty good job with fraud prevention nowadays, so the protection almost seems like an after-thought. Here’s hoping that the rash of cyber attacks leads to travel providers being more vigilant about protection of data.