Multinational hotelier Hyatt has admitted a previously disclosed breach of customer card data affected 250 hotels in over 50 countries.
The firm said just before Christmas 2015 that it found malware on its systems, indicating hackers had found a way in and were probably siphoning off payment card data.
Now, in a lengthy open letter, global president of operations, Chuck Floyd, has revealed the attack occurred “primarily” at restaurants in Hyatt-managed locations, between 13 August and 8 December last year.
The scale and breadth of locations affected—from China to Costa Rica, Australia to Azerbaijan—makes it one of the most serious of a spate of recent attacks against hotel chains, although it’s not yet clear how many cards have been affected.
The full list of hotels affected can be found here.
As well as hotel restaurants, a “small percentage” of at-risk cards were exposed at “spas, golf shops, parking, and a limited number of front desks, or provided to a sales office during this time period.”
A “limited” number of locations potentially exposed card data even earlier than the August date—from 30 July, to be precise.
“The malware was designed to collect payment card data—cardholder name, card number, expiration date and internal verification code—from cards used onsite as the data was being routed through affected payment processing systems. There is no indication that other customer information was affected,” Floyd explained.
“We worked quickly with leading third-party cybersecurity experts to resolve the issue and strengthen the security of our systems in order to help prevent this from happening in the future. We also notified law enforcement and the payment card networks. Please be assured that you can confidently use payment cards at Hyatt hotels worldwide.”
Hyatt urged customers to remain vigilant and keep a close eye on card activity. The hotel chain has arranged for the obligatory fraud detection service to be provided free of charge for a year to customers—in this case from CSID.
Photo © EQRoy/Shutterstock.com,