The Daily Swig Web security digest

Hyatt suffers second card data breach in two years

James Walker | 13 October 2017 at 10:00

41 hotels impacted across Asia and the Americas.

Global hospitality group, Hyatt Hotels Corporation, has discovered unauthorized access to payment card information at 41 of its properties around the world.

According to the Chicago-based company, which owns and manages more than 700 hotels in 56 countries, the data leak pertains to credit cards manually entered or swiped at the front desk of the affected locations between March 18 and July 2.

“Based on our investigation, we understand that such unauthorized access to card data was caused by an insertion of malicious software code from a third party onto certain hotel IT systems,” the group said in a statement.

“Upon discovery, we launched a comprehensive investigation to understand what happened and how this occurred, which included engaging leading third-party experts, payment card networks and authorities.”

The data included cardholder names, card numbers, expiration dates, and internal reference numbers, Hyatt said.

The group’s properties in China bore the brunt of the breach, with 18 Hyatt-branded hotels being impacted around the country, along with four properties in Mexico, and three each in the US, Puerto Rico, Saudi Arabia, and South Korea, among others.

Hyatt’s European properties were unaffected by the breach.

While the hospitality firm said it has resolved the issue and implemented additional security measures to strengthen the security of its systems, the company urged its customers to review their payment card account statements and report any unauthorized charges to their card issuer immediately.

The news comes less than two years after Hyatt disclosed a data breach that affected guests’ cards used at 250 hotels across 50 countries.

The investigation identified signs of unauthorized access to payment card data from cards used onsite at certain Hyatt-managed locations, primarily at restaurants, between August and December 2015.