Saturday, May 28, 2022

Five Canadian hotels in Hyatt chain victims of malware

People who stayed or bought services at five Canadian Hyatt hotels were among 250 in the chain that may have been victims of a point of sale credit card hack roughly between July 30 and December 8 last year, according to the company.

In a statement issued last week global president of operations Chuck Floyd said an investigation found signs of unauthorized access to payment card data from cards used onsite at certain Hyatt-managed locations. The access was mainly at at restaurants, but a “small percentage” were used at spas, golf shops, parking, and a limited number of front desks, or provided to a sales office during this time period. The at-risk window for a limited number of locations began on or shortly after July 30, 2015.

Two of the Canadian hotels were in Toronto, while the others were in Vancouver, Calgary and Montreal.

“The malware was designed to collect payment card data – cardholder name, card number, expiration date and internal verification code – from cards used onsite as the data was being routed through affected payment processing systems,” the statement says. “There is no indication that other customer information was affected,” it adds.

CISOs should warn employees of their organizations who were at any Hyatt hotel during the period of the risk.  A list of all the affected hotels is here.  Probably anyone who used a chip and PIN card at the facilities in this country is safe. However, any one who swiped their card — or allowed hotel staff to swipe their card — could be at risk.

Point of sale machines are a favourite target of criminals, particularly POS devices at upscale hotels. In the last year hotels managed by Trump, Wyndam, Hilton and Starwood have been hit. Last year Wyndam settled a lawsuit filed by the U.S. Federal Trade Commission for failing to maintain reasonable and appropriate data security practices for sensitive customer data after the chain and subsidiaries suffered three breaches in less than two years.  The commission alleged “the compromise of more than 619,000 consumer payment card account numbers, the exportation of many of those account numbers to a domain registered in Russia, fraudulent charges on many consumers’ accounts, and more than $10.6 million in fraud loss.”

The Hyatt statement said the company “worked quickly with leading third-party cyber security experts to resolve the issue and strengthen the security of our systems in order to help prevent this from happening in the future. We also notified law enforcement and the payment card networks. Please be assured that you can confidently use payment cards at Hyatt hotels worldwide.”

But it also asked suspected victims to watch their credit card statements closely for any unauthorized charges.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.