12
Oct 17

Hyatt Hotels Suffers 2nd Card Breach in 2 Years

Hyatt Corp. is alerting customers about another credit card breach at some hotels, the second major incident with the hospitality chain in as many years.

hyattHyatt said its cyber security team discovered signs of unauthorized access to payment card information from cards manually entered or swiped at the front desk of certain Hyatt-managed locations between March 18, 2017 and July 2, 2017.

“Upon discovery, we launched a comprehensive investigation to understand what happened and how this occurred, which included engaging leading third-party experts, payment card networks and authorities,” the company said in a statement. “Hyatt’s layers of defense and other cybersecurity measures helped to identify and resolve the issue. While this incident affects a small percentage of total payment cards used at the affected hotels during the at-risk dates.

The hotel chain said the incident affected payment card information – cardholder name, card number, expiration date and internal verification code – from cards manually entered or swiped at the front desk of certain Hyatt-managed locations. It added there is no indication that any other information was involved.

In late 2015, Hyatt announced that for about four months that year hackers had gained access to credit card systems at 250 properties in 50 different countries. This time, the breach appears to have impacted 41 properties across 11 countries. Only five of the Hyatt properties affected in this most recent breach included U.S. locations, including three resorts in Hawaii and one each in Guam and Puerto Rico.

The nation with the largest number of Hyatt properties impacted was China (18). The company has published a list of the affected hotels here.

Each time one of these breach stories breaks, I hear from a number of readers who say they believe their cards were impacted based on some fraudulent activity on their cards. One thing I try to stress to those readers is that there are so many merchants both online and offline that are compromised by card-stealing malicious software that it is very likely that their card numbers were stolen from multiple victim companies.

The most important thing to bear in mind with all these card breaches is that consumers are not liable for fraudulent charges, it still usually falls to you the consumer to spot and report any suspicious charges. So keep a close eye on your statements, and consider signing up for text message notifications of new charges if your card issuer offers this service. Most of these services also can be set to alert you if you’re about to miss an upcoming payment, so they can also be handy for avoiding late fees and other costly charges.

For anyone curious about why the hotel industry has been so heavily targeted over the past few years, check out some of the case studies published by Trustwave Spiderlabs. Organized crime groups (most notably the Carbanak gang) have been targeting customer service and reservations specialists at various hospitality chains with tailored social engineering attacks that involve well-aged fake companies and custom malware.

Tags: , ,

32 comments

  1. I wonder what CRS they use?
    I wonder how many properties are still on Windows XP?

    I wonder when someone with responsibility for security will suffer the consequences of their incompetence?

    • I actually stayed at a Hyatt this week in Austin. I saw that they were using the Oracle Hospitality suite.

      https://www.oracle.com/industries/hospitality/index.html

      • The system formerly known as Opera (from Micros), along with their Micros RES (or similar) POS systems. These systems used to be equipped with insanely simple vendor support logon credentials. As these are the mostly widely used hospitality systems used globally, they are the most frequently targeted.

    • There are definitely some people in Information Security that are in over their heads. Some are leaders, others are just starting.

      The issue is not always the people, but the company. We can use Target as an example. It was the companies policy that contributed directly. They did what many of us professionals would cry foul over: Use Windows XP after Microsoft ended support. Put non Target controlled assets on the network. Poor control over vendor’s access. Etc, etc, etc. Target may have dismissed the risks, perhaps they never invested enough in Security to address these issues, perhaps the other teams dismissed every request from Security to address these issues. Whatever the reason, its unfortunate that we want to blame security, but in reality, it may not be them.

      Equifax is a prime example: They put information on a public server that should not have been there. They didn’t patch it, as they should have. This is not Security but everyone else, unless Security failed to tell them the server was vulnerable.

      Steven

  2. Which is more expensive, the up-front proactive IT, or the drip-drip of customer trust going down the drain ongoing, worldwide?
    They should give it up and hire a contractor to manage everything.

    • Jim,

      The breach from my understanding was not a breach this time around. It appears it was a 3rd party they were using, it contained the malicious code. It has been pulled, and is being reviewed.

      Thankfully this was not Equifax this time around. Heads would be rolling… again.

  3. Perhaps maybe they should stop hiring incompetent people running security department. This is what happens when you employ people who just finished a college degree and have no idea about internet security

    • This has nothing to do with the hotel companies. It is the card company’s responsibility to provide a secure product, but they don’t. The card companies have zero motivation to to provide more security. These breaches are statistically a small drop in the very large bucket of all transaction handled by the card companies without any problems at all. Any costs associated with these breeches are passed on to and across all the card holders, and therefore become imperceptibly small. The direct victims, both card holders and hotel chains, have no recourse against the card companies because they require all their customers to sign their rights away before enrolling. Only one thing will fix this problem, laws that 1. preserve and protect the customer’s right to go after the card company and company management for civil damages and, 2. laws that hold the card company management criminally responsible for malpractice.

  4. Brian,

    It’s clear from various hotel and retail breaches that the hackers are collecting this credit card data over vast distances over the Internet. The Equifax and Experian breaches also involved the Internet.

    It would seem obvious that separating important business systems from the Internet would easily prevent new, widespread data breaches committed by off-site hackers and thieves.

    Clearly, the geek solution (i.e. patches, firewalls, encryption, “standards,” and better paid geeks) won’t solve the problem.

    Why haven’t the large businesses of the world yet realized that networked business systems have to be cut off from the Internet to solve the problem?

    I may be a little old-fashioned, but I don’t believe that there exists a level of geekery that can prevent the kind of criminal data breaches that affect massive numbers of people. Am I wrong?

    • Mandatory chip & NFC POS at every merchant would go a long way toward accomplishing this. Similarly I would also look forward to online retailers offering an Apple Pay button.

      I look forward to the day when the vast majority of merchants will be able to accept Apple Pay as this is my preferred client side solution for NFC POS transactions.

      • Bwahahahaha, lol…. have fun.

      • More geekery will not solve the problem.

        “Mandatory chip” does not prevent names, drivers license, addresses, or other information (collected during reservations and check in procedures) from being stolen over the Internet.

        “Mandatory chip” will not prevent credit account information from being stolen from reservation systems, as long as they’re connected to the Internet.

        Geekery, like locks, only stop honest people.
        To stop thieves, you need to eliminate the easiest point of entry: Internet.

        • But what was said was “Mandatory chip & NFC POS at every merchant would go a long way toward accomplishing this.”

          I don’t think it was suggested any single thing (geekery) will eliminate the threat. But, it stands to reason businesses should at least make it more difficult. What was recommended would do just that.

    • No one wants to build two networks. No one wants to have two PCs at the desk.

      That is what it would take, much like the military has two SIPR and NIPR networks, each with two different sets of PCs.

      The core problem is how failed the US implementation of the chip has been conducted. Europe doesn’t have nearly weekly announcements of breaches.

      The US just needs to bite the bullet: chip+pin. Make breached companies pay for the entire investigation, cleanup, and fraud charges for anything that leaked through their magstrip system but affected other non-breached companies.

      • Chips don’t solve the simple problem.

        See my reply here:
        https://krebsonsecurity.com/2017/10/hyatt-hotels-suffers-2nd-card-breach-in-2-years/comment-page-1/#comment-443395

        I think you’ll be wrong about the double computers, as more businesses realize the cost of fraud and data theft take a huge public relations toll on their brands and, eventually, when liability changes, their bottom line.

      • “No one wants to build two networks. No one wants to have two PCs at the desk.”

        You don’t need two PCs, just a credit card terminal that is connected differently than everything else.

        “Make breached companies pay for the entire investigation, cleanup, and fraud charges for anything that leaked through their magstrip system but affected other non-breached companies”

        I bet companies would gladly have two PCs to prevent breaches if they would have to pay for the result of their insecurity.

    • Deploying duplicate hardware to support this would be fairly expensive. And really, it wouldn’t work. If you’re laying cable, someone can plug in somewhere and attack. Years ago, Brian had a picture of an ATM plugged into an Ethernet hub (I think it was at a grocery store).

      The problem with solutions like yours is they assume that they’re adding protection, when in most cases they’re merely obfuscating the system and making it more likely people won’t secure their vulnerable assets.

      The goal should be reducing attack surface (not simply moving it which is essentially your proposal):

      End-to-end encryption would be a better choice. Along with supporting chip based transactions (including NFC).

    • Yes. You are wrong.

  5. Whether a hotel or any other business, make sure you use chip on your card when making purchases. Most hotels have these installed now. Insist on it if they do not.

    • Insist on it or what, don’t check in?

      • Personally, I rely on third party brokers for reservations (probably hotels.com or Expedia).

        I think a significant portion of these hacks have been against the non-core portions of hotels (gift shops, restaurants, …) as opposed to the front desk.

        In terms of protection, a card for travel that you can replace quickly is probably a better approach.

        I’d recommend American Express (often one day replacement [1] or ~2 hours for a temporary card [2]) – I got an American Express card because my wallet was left behind on my way to the airport on an overseas trip to Paris (one of the places that does on the spot cards). I haven’t needed the feature since, but, better safe than sorry.

        Probably the biggest hurdle for the average hotel guest is the security deposit. You may be able to ask them to take a carbon copy instead of a swipe. You could provide a cash deposit, but that cure is worse than the disease.

        [1] https://www.americanexpress.com/lacidc/en/travel/travelservices.shtml
        [2] http://secure.cmax.americanexpress.com/Internet/US/Travel/CTN/Components/CTN_ECOMM_WELCOME_POPUP/Global%20Assist%20Hotline.html

        • You may be able to ask them to take a carbon copy instead of a swipe.

          They haven’t done that in years with the small exception of few stores even then, it is not secure because they have a copy of the card # which is why they swipe as a hold and they notify you what they are doing. That’s why you use a credit card for such thing.

  6. I’ve actually had my bank call me when someone used “my” debit card at a best buy in another state and called me to make sure it was me. When I told them I wasn’t even in that state they immediately cancelled the card and took the charge off my bank account. So sometimes they will notify you – but it depends on the bank.

  7. How is this dated “OCT 17”

  8. Is it safe now to use your card for Hyatt?

  9. If this wasn’t so serious in would be funny. It proves one thing, incompetence in business is completely out of control. Even when the fire is still burning, some are throwing gas on it.

  10. Quote – “Hyatt’s layers of defense and other cybersecurity measures helped to identify and resolve the issue. ”

    Deciphered, means they may have appropriate controls in place, but they are not being actively reviewed, unless something happens. meaning it’s way too late and an ineffective security approach.

  11. General purpose computers and networks (TCP/IP) are very flexible, but complex and prone to security problems. Would we even need chip cards if mag stripe readers couldn’t be compromised as easily and data shipped off over the Internet? An isolated network would go a long way and even better would be specialized (non-IP) protocols so any random laptop can’t be plugged in. When I learned that POS devices and ATMs ran anything but purpose built embedded operating systems I couldn’t believe it.

  12. I have had my card used twice. The first time someone purchased an airline ticket and the twice to a YNAP Corp, a woman’s clothing store. The whole time I had the card in possession. The bank took care of it immediately because I take the trouble to check my balance.
    Initially I tried to contact the airline to flag that ticket so the TSA can arrest the perp as they board the gate but the airline wanted the CC # which the bank cut up so that ends that.

    Even before I insist on using NFC or at last resort, chip whenever I buy something at a store or use an ATM (BOA now allows you to make deposit and withdrawal via Android/Apple Pay).