People who stayed or bought services at five Canadian Hyatt hotels were among 250 in the chain that may have been victims of a point of sale credit card hack roughly between July 30 and December 8 last year, according to the company.
In a statement issued last week global president of operations Chuck Floyd said an investigation found signs of unauthorized access to payment card data from cards used onsite at certain Hyatt-managed locations. The access was mainly at at restaurants, but a “small percentage” were used at spas, golf shops, parking, and a limited number of front desks, or provided to a sales office during this time period. The at-risk window for a limited number of locations began on or shortly after July 30, 2015.
Two of the Canadian hotels were in Toronto, while the others were in Vancouver, Calgary and Montreal.
“The malware was designed to collect payment card data – cardholder name, card number, expiration date and internal verification code – from cards used onsite as the data was being routed through affected payment processing systems,” the statement says. “There is no indication that other customer information was affected,” it adds.
CISOs should warn employees of their organizations who were at any Hyatt hotel during the period of the risk. A list of all the affected hotels is here. Probably anyone who used a chip and PIN card at the facilities in this country is safe. However, any one who swiped their card — or allowed hotel staff to swipe their card — could be at risk.
Point of sale machines are a favourite target of criminals, particularly POS devices at upscale hotels. In the last year hotels managed by Trump, Wyndam, Hilton and Starwood have been hit. Last year Wyndam settled a lawsuit filed by the U.S. Federal Trade Commission for failing to maintain reasonable and appropriate data security practices for sensitive customer data after the chain and subsidiaries suffered three breaches in less than two years. The commission alleged “the compromise of more than 619,000 consumer payment card account numbers, the exportation of many of those account numbers to a domain registered in Russia, fraudulent charges on many consumers’ accounts, and more than $10.6 million in fraud loss.”
The Hyatt statement said the company “worked quickly with leading third-party cyber security experts to resolve the issue and strengthen the security of our systems in order to help prevent this from happening in the future. We also notified law enforcement and the payment card networks. Please be assured that you can confidently use payment cards at Hyatt hotels worldwide.”
But it also asked suspected victims to watch their credit card statements closely for any unauthorized charges.