Back at the end of December, Hyatt announced that their point of sales systems were hacked and malicious code was installed for something like 250 hotels. Around the same time, the Hyatt Gold Member system on their website was taken offline for almost a week. The two events may have been connected as Hyatt looked to correct their systems and investigate what happened. At the time the Gold Passport accounts went offline, there was no mention of the breach, but in hindsight it seems likely that the two events were connected.
Hyatt has come back this week with an explanation of what happened to their systems. Hyatt wrote the following in their press release.
Hyatt Hotels Corporation (NYSE: H) has completed its investigation of the previously announced payment card incident. The investigation identified signs of unauthorized access to payment card data from cards used onsite at certain Hyatt-managed locations, primarily at restaurants, between August 13, 2015 and December 8, 2015. A small percentage of the at-risk cards were used at spas, golf shops, parking, and a limited number of front desks, or provided to a sales office during this time period. The at-risk window for a limited number of locations began on or shortly after July 30, 2015.
The malware was designed to collect payment card data – cardholder name, card number, expiration date and internal verification code – from cards used onsite as the data was being routed through affected payment processing systems. There is no indication that other customer information was affected.
While I am now a Hyatt Platinum member, Hyatt is my secondary choice only if an SPG hotel isn't available. Hyatt is a smaller brand than SPG, so I rarely find them in a market that SPG isn't in, but it happens from time to time.
With another data breach to add to the list of breaches that seem to happen far too often now, is there much we can do to make this better? Well the good news is that from Hyatt's press release, we can see that the hotel front desk systems were only comprimised in a very few cases. Most of these cases involved the restaurants in the hotels. Now, is this an independent system from the Hyatt main systems, I cannot tell, but it is possible. It's also possible that these restaurants are mostly managed by entities other than Hyatt, but that is just speculation on my part. Really there is not much we can do about this type of an attack. Use your chip enabled credit/debit cards. Unfortunately many vendors have been very stubborn about switching to chip card readers, so we are left to the vendors choices in these cases.
We can only trust that our data is in the right hands, and if not we have to rely on keeping track of out finances as closely as possible.
If you recently stayed at a Hyatt, they have a list of hotels I've linked below that were impacted, luckily my Hyatt stays were not at any comprised hotels. Take a look and follow up with Hyatt if you were impacted.