Hyatt notes CC breach, TT users at risk

The spa at the Hyatt Regency, Trinidad. Photo courtesy Hyatt.
The spa at the Hyatt Regency, Trinidad. Photo courtesy Hyatt.

On January 14, 2016, Hyatt Hotels issued a press release acknowledging that credit card information may have been accessed or been vulnerable  to access by unauthorized persons at a number of their locations between August 13, 2015 and December 08, 2015. Some locations have an at-risk window that began as early as July 30, 2015.

In a letter to customers, Chuck Floyd, Global President of Operations, Hyatt Hotels Corporation acknowledged that…

We have been working tirelessly to complete our previously announced investigation regarding malware that targeted payment card data used at Hyatt-managed locations. We now have more complete information we want to share so that you can take steps to protect yourself.

The investigation identified signs of unauthorized access to payment card data from cards used onsite at certain Hyatt-managed locations, primarily at restaurants, between August 13, 2015 and December 8, 2015. A small percentage of the at-risk cards were used at spas, golf shops, parking, and a limited number of front desks, or provided to a sales office during this time period.

The malware was designed to collect payment card data – cardholder name, card number, expiration date and internal verification code – from cards used onsite as the data was being routed through affected payment processing systems. There is no indication that other customer information was affected.

The list of affected Hyatt locations and respective at-risk dates is available here. Additionally, for at-risk transactions where a cardholder’s name was affected, we are in the process of mailing letters to customers for whom we have a mailing address and sending emails to customers for whom we only have an email address.

We worked quickly with leading third-party cyber security experts to resolve the issue and strengthen the security of our systems in order to help prevent this from happening in the future. We also notified law enforcement and the payment card networks.

The Hyatt Regency Trinidad is on the list of affected hotels. If you have used a credit card at other Hyatt locations, you can check to see if that hotel is on their hot list here.

Hyatt’s earlier notice to customers about the matter was distinctly low-keyed and the earliest report was carried on Krebs Security on December 23, 2015.

Hyatt’s worldwide portfolio includes 627 properties in 52 countries.