Hotel giant Hyatt is warning its customers around the world that their payment data may have been compromised in another breach at the company, its second in two years.
The firm’s security team identified unauthorized access to payment card information from cards manually entered or swiped at the front desk of certain Hyatt-managed locations between March 18 and July 2 this year.
The data stolen included cardholder name, card number, expiration date and internal verification code, but no additional personal information, according to a statement penned by global president of operations, Chuck Floyd.
There’s no indication of how many customers were affected, although Hyatt claims it is only a “small percentage” of those who visited during the period.
The breach affected 41 facilities across 11 countries: the US, Brazil, China, Colombia, Guam, India, Indonesia, Japan, Malaysia, Mexico, Puerto Rico, Saudi Arabia and South Korea.
Floyd continued:
“Based on our investigation, we understand that such unauthorized access to card data was caused by an insertion of malicious software code from a third party onto certain hotel IT systems. Our enhanced cybersecurity measures and additional layers of defense implemented over time helped to identify and resolve the issue.”
Hyatt suffered a similar breach back in 2015, although that time it affected 250 hotels in over 50 countries worldwide.
“We worked quickly with leading third-party cybersecurity experts to resolve the issue and strengthen the security of our systems in order to help prevent this from happening in the future,” Floyd said at the time.
That hasn’t prevented him from repeating the same line this time around.
“As a result of implemented measures designed to prevent this from happening in the future, guests can feel confident using payment cards at Hyatt hotels worldwide,” he said in the new statement this week.
John Christly, global CISO of Netsurion and EventTracker and member of the PCI SSC, argued that hackers are specifically targeting hotels running certain POS systems.
“These are often integrated POS environments running applications that are not as secure as modern, hardened payment terminals designed to capture and encrypt payment data. Hotel systems send the data to the back office instead of directly to the payment processor, adding an additional step that creates weakness in the hotel POS system,” he explained.
“In addition, there are large volumes of payment card transactions between restaurants, on-site shops, spas, parking, and the front-desk, ensuring there is plenty of customer data for a hacker to compromise.”
Christly urged hotels to maintain PCI compliance, train employees well, install AV on every device and integrate a managed SIEM in order to better protect customer data.