Tech

250 Hyatt hotels infected last year with payment data stealing malware

The hotel chain has admitted that 250 hotels in 54 countries were affected by the data breach.

Written by Charlie Osborne, Contributing Writer Jan. 15, 2016 at 5:29 a.m. PT

The Hyatt hotel chain has revealed that almost half of its properties were infected with malware last year and customer financial data may have been stolen.

According to the company, 250 hotels out of 627 in the firm's portfolio were infected with information-stealing malware from August 13 to December 8, 2015. Some locations may have been affected as early as July 30, 2015.

Hyatt has published a global list of sites that were compromised.

The list reveals hotels in 54 countries were impacted by the security breach. Hotels in countries including the US, UK, China, Germany, Japan, Italy, France, Russia and Canada were compromised, among others.

China, India and the United States are at the top of the list for malware-ridden hotel systems, with 22, 20 and 99 infected sites respectively.

Security

Hyatt says that following an investigation, "signs of unauthorized access to payment card data from cards used onsite at certain Hyatt-managed locations" were discovered.

While malware was exposed mainly at restaurants, some spas, parking, golf shops, front desk reception systems and sales offices were also impacted.

The chain says the malware in question was designed to steal financial data including cardholder names, card numbers, expiration dates and internal verification codes, which are used onsite to verify transactions. According to the company, the malicious code harvested credentials as they passed through Hyatt's infected payment processing systems.

In a statement, Hyatt's global president of operations Chuck Floyd said:

"Please be assured that we take the security of customer data very seriously. We deeply regret the inconvenience and any concern this may have caused you."

Hyatt is in the process of notifying customers by post or email when cardholder names were taken, and have notified authorities. However, the company says they cannot notify everyone who may have been affected due to a lack of contact information.

Hyatt is offering a year of credit monitoring via CSID to potential data theft victims.

The hotel chain says:

"While customers can confidently use payment cards at Hyatt hotels worldwide, any payment card that was used onsite at an affected location during the respective at-risk dates could still be subject to fraud even if you have not yet seen fraudulent activity.
We are continuing to work closely with payment card companies to identify potentially affected cards so that the banks that issued those cards can be made aware and initiate heightened monitoring of those cards."