December 23, 2015

Hyatt Hotels Corporation said today it recently discovered malicious software designed to steal credit card data on computers that operate the payment processing systems for Hyatt-managed locations.

hyattHyatt’s notice to customers has very few details about the investigation, such as how long the breach lasted or how many consumers may have had their card data stolen as a result. Hyatt did say that it has taken steps to strengthen its systems, and that “customers can feel confident using payment cards at Hyatt hotels worldwide.”

As of September 30, 2015, Chicago-based Hyatt’s worldwide portfolio included 627 properties in 52 countries.

Hyatt joins a crowded list of other hotel chains similarly breached in the past year, including Hilton, Starwood, Mandarin Oriental, White Lodging and the Trump Collection.


26 thoughts on “Malware-Driven Card Breach at Hyatt Hotels

  1. JCitizen

    They can forget about me feeling confident – it is only the fact that I won’t be held responsible for illegal charges, that I go any where and use a card anymore. The same old apologetic blather coming from these hotel chains, is just getting tiring, and not making us feel better at all. They should sooner say nothing at all, as far as I’m concerned.

    1. Jonathan E. Jaffe

      JCitizen – you are not going to be held liable for illegal charges against your credit card, that is true.

      You, me, Brian and every other consumer still wind up paying the merchant markup to cover any loss. The providers charge the merchants for services and we pay that too.

      The general public is deep in breach fatigue. I doubt this will make the evening news. I’m part of the industry and I’m as mad as hell. When are we not going to take it anymore?

      This clip is from 1976. It is worse now as your toaster and your television might be spying on you.
      https://www.youtube.com/watch?v=WINDtlPXmmE

      There is a better way.

      Jonathan @NC3mobi

      1. AndrewB

        The credit-card sponsoring banks ate that loss, not the merchant.

  2. Sykophantes

    Rats ! I stayed for a week ending Dec. 5th in a Hyatt hotel in Linthicum Heights near Baltimore BWI airport and used my European Mastercard to pay for the stay (did not use the card at any other hotel facilities). I have an SMS alert set with my CC company notifying me of any transaction above 25 Euro. No fraudulent transactions so far. Should I proactively call the credit card company and ask what? a new card ?

  3. RichG

    Sykophantes:
    I was caught in the HomeDepot circus. As soon as I heard about their breach I called for a new card before they ran out of blanks.

    1. Mike

      I know you’re mostly kidding, but after the Home Depot breach my local bank not only ran out of blanks, but their card press *broke* from all the extra stress printing new debit cards for customers.

      1. Scott

        And this is why you should never use your debit card at merchants. The legal protections for using credit are much, much better and if someone charges something on it, you can simply dispute the charge and not pay it. If someone compromises your debit card and takes out a wad of cash, you’re screwed until the bank is kind enough to refund it (which could take 6-8 weeks). ALWAYS use credit at merchants. Only use debit at reputable ATM’s that you visually inspect for signs of tampering first.

  4. Jason

    what will happen is counterfeit cards will be used t buy gift cards at walmarts, and smal local banks will take he losses while Walmart grows bigger. Walmart only checks your ID if your buying a Gun or ammo.

    1. nucc1

      And America continues to take credit card payments with a scribble on a touchpad as the only form of security.

  5. Mike

    Shall we blame it on a failure to keep all networked devices “up-to-date”? Maybe we could suggest that Hyatt still runs XP systems? Could it possibly be that an outsourced “partner” was infected and spread said infection to Hyatt’s computers through a remote loggin? Maybe it was a rogue Anon? Why not blame it all on Oracle for a failure to properly maintain Hyatts software?

    I know…..
    It was a Hyatt employee looking at porn on a company computer

  6. KR

    Working not only on the InfoSec side, but also in risk and compliance over the years, I know if a number of reasons this continues to happen. One of the major one sis Risk Acceptance, or as I call it, Risk Appetite. The cost of a breach to the retailer is so low that the compliance officers don’t push to fund any security beyond what meets compliance, which is woefully insufficient. Patrons don’t leave, the continue to come back, as evident by Target and Home Depot. The Chip and Pin deadline has come and gone and only a handful of the major retailers and few if any small retailers are in compliance and what happens… nothing, because as much as the credit card companies want to reduce their losses, it would cost them so much more if they actually stood up and cut off some of these retailers until they passed a comprehensive 3rd party audit and were compliant. Consumers have no skin in the game, fortunately, as credit card fraud is not easily remedied. In the end, there is no compelling reason for the large retailers to do a damn thing about security. And it is far worse in healthcare, but that is a different topic altogether.

    1. Jonathan Jaffe

      KR: you wrote

      > Consumers have no skin in the game,
      Umm, consumers have ALL the skin in the game. Providers charge merchants, merchants charge consumers. In the end the consumer pays ALL the bills.

      As for Chip-&-PIN, 2/3 of UK customer surveyed say is is already obsolete. https://www.linkedin.com/pulse/article/change-security-landscape-jonathan-jaffe and the US is still at Chip-&-Sig (mostly without the signature). That some 40% of consumers even had cards by the deadline says this was more about liability shift than consumer protection.

      As for compliance, Target was compliant at the time of their major breach. Look at http://nc3.mobi/references/20131218-target/ down by the 9/21/2015 entry for a comment from their president.

      There is a better way!

      Jonathan @NC3mobi

      1. Kevin

        The other issue I’ve found with Chip/PIN Cards is 90% of the retailers still don’t have their POS Systems upgraded to accept the new Chip/PIN cards and they are having you swipe them. Out of the 10 stores I shop at only 2 have the Chip/PIN technology in place and working. The rest are giving their associates ‘Canned Responses to tell the Customer’ ” Sorry we haven’t upgraded our POS Software to accept Smart Chips yet” I shop with cash more than ever now a days. I’m waiting for the Apple Pay to be hacked next. I’d say it not a matter of IF it’s WHEN.

        1. Jonathan Jaffe

          Kevin: “When” has already passed.

          EMV terminals have been Jedi Waved to skip chip processing. See MagSpoof by Samy Kamkar at http://nc3.mobi/references/2015-unknown/#20151124 The graphic is at http://nc3.mobi/wp-content/uploads/2015/12/20151124-magspoof.png

          This weakness may have been fixed, but think, EMV has been in use for years and this problem existed. What else?

          2/3 of UK banking customers surveyed say PIN is obsolete. Story http://nc3.mobi/references/emv/#20151119 and the US is barely using -PIN. We use -SIG (often without the signature)

          Existing protocols appear to have been full of holes for years. See http://arstechnica.com/security/2015/12/common-payment-processing-protocols-found-to-be-full-of-flaws/

          We need a better way.

          Jonathan @NC3mobi

  7. jim

    The consumer is the only one wit skin in this game. Where do the companies get their money? Where do the bad guys get their money? All back one way or another to fleece the consumer.

  8. Randy

    One way to end this insanity is to stop banking/credit carding with the big banks who don’t give a flying fig about their customers. My card got stolen due to a breach, but guess what? My bank called me as soon as the first weird transaction tried to go through and shut everything down immediately. I had to do without that card for a couple of weeks but otherwise, no loss for them or me to worry about.

  9. Daniel

    If i was hyatt i would sue this guy Brian Krebs. There is absolutely no way you can know for sure if hyatt or any other brand was brached unless you directly have accesss to their system. I understand people are hungry for news like this and Brian does this for living but for Hyatt this is not so good. They might lose millions of dollars because of this kind of news.

    1. Oliver

      > There is absolutely no way you can know for sure if
      > hyatt or any other brand was brached unless you
      > directly have accesss to their system.

      Or… it could just be that Brian has access to Hyatt’s press releases on their website?

      http://newsroom.hyatt.com/news-releases?item=123450

      And look, he even put that link into the original post that you apparently didn’t read very closely :/

    2. Gord

      Are you for real? If anything, it’s the companies such as Hyatt that suffer breaches like this that DESERVE to lose some business. Not until business suffers, will companies take IT security seriously. If anything, it’s Hyatt that deserves to be sued, and Brian Krebs should get a bonus for keeping things like this at the forefront of consumers minds.

    3. Not Me

      Yes, Yes, sue away, it may be the only way we find out what really happened on the inside of the operation..

      What a silly comment.

      This site is one a few that reports useful information in a timely manner. Most of us appreciate Brian Krebs and his desire to report on this topic.

      Hey Krebs, here’s hoping you have a successful and prosperous 2016, looking forward to hearing you speak again. Looking forward to a new book as well. Get to work!

      Cheers!

  10. Kevin

    I had a problem with skimming at the Hyatt in July 2014 after making on online reservation for a weekend stay. I returned on a Sunday and someone from that location went on a $1200 spree at bars and shopping at Macy’s. My credit card company had me fill out some documents to negate the charges and they were eventually removed. I alerted Hyatt Management at that time and told them they had a breach with their reservation system. And the management seem to play dumb at the time. So it really make me wonder how long these companies know before going public with the breach details?? I didn’t see any statements from Hyatt official till Nov 2015. As a consumer we should have the ability to charge these companies that allow their security to become lax.

  11. Michael

    @Kevin – your description of your specific breach sounds confusing. You say you were skimmed, but made an online reservation. Would I be correct in assuming you had the issue following the hotel swiping your card at check-in for the actual stay and not following the reservation creation online? After Check-In someone local to that specific Hyatt, used your mag stripe data to make a duplicate card for the spending spree in the geography local to the Hyatt you stayed in, correct?

    If it was following your online reservation and not the check-in, then the issue would be with the Hyatt systems, but the situation you seem to be describing, sounds more like a malicious individual or team acting outside of the Hyatt Reservation System and would not be from a breach with their actual systems.

    When these targeted systems are breached the likelihood of the spending occurring in the same is geo is extremely remote as your PAN (Account number) and other necessary data would go into a file with thousands or more cards and sold in bulk globally. Additionally, the fraud also does not usually occurso soon after the stay if that is when you were compromised.

    It sounds more to me that your issue was not likely related to this breach, but rather was the target of a skimming team or individual. Just postulating.

    1. Kevin

      That’s the weird part of this whole thing. When I made my reservations I made them on Hyatt Online site. My Credit Card never left home and was not with me during check-in. (Stay was one Sat night) When I returned I got a call from my bank Tues. that someone was making purchases using my card in the same city that I stayed. So it was as if someone skimmed my CC. Not sure how that happened. Hence why I thought it was the Reservation System online Website.

  12. Melissa

    It’s really a nice and helpful piece of information. I am
    glad that you just shared this helpful information with us.
    Please keep us up to date like this. Thank you for sharing.

Comments are closed.