The cyber security team at Hyatt Hotels Corporation discovered signs of — and then purportedly resolved — unauthorized access to payment card information from credit cards which were manually entered or swiped at the front desk of 41 different hotel or resort properties in eleven countries between Saturday, March 18, 2017 and Sunday, July 2, 2017.
Credit Card Security Breach at 41 Hyatt Hotel Properties in Eleven Countries
A list of the hotel and resort properties affected by this breach is included in this article.
The following text is this letter from Chuck Floyd — who is the global president of operations at Hyatt Hotels Corporation — and is presented verbatim:
Dear Hyatt Guest,
We understand the importance of protecting customer information and securing our systems, and we regret to inform you that we discovered signs of and then resolved unauthorized access to payment card information from cards manually entered or swiped at the front desk of certain Hyatt-managed locations between March 18, 2017 and July 2, 2017. A list of affected hotels and respective at-risk dates is available here.
Upon discovery, we launched a comprehensive investigation to understand what happened and how this occurred, including engaging leading third-party experts, payment card networks and authorities. Based on our investigation, we understand that such unauthorized access to card data was caused by an insertion of malicious software code from a third party onto certain hotel IT systems. Our enhanced cybersecurity measures and additional layers of defense implemented over time helped to identify and resolve the issue. I want to assure you that there is no indication that information beyond that gained from payment cards – cardholder name, card number, expiration date and internal verification code – was involved, and as a result of implemented measures designed to prevent this from happening in the future, guests can feel confident using payment cards at Hyatt hotels worldwide.
While we estimate that the incident affected a small percentage of payment cards used by guests who visited the group of affected Hyatt hotels during the at-risk time period, the available information and data does not allow Hyatt to identify each specific payment card that may have been affected. It’s important to Hyatt that we notify guests and provide helpful information about steps they can take, and we have directly contacted all guests for whom we have appropriate contact information that checked in to an affected hotel during the at-risk dates. As always, the primary step customers can take is to review their payment card account statements closely and report any unauthorized charges to their card issuer immediately.
This incident is something we take seriously, and we are sorry for the inconvenience and concern this may cause our guests. If you have questions or would like more information, please call:
- People’s Republic of China: 4001 200 597 (English/Mandarin/Cantonese) from 9AM-6PM China Standard Time
- Korea: 00798 8523 8066 (English/Korean) from 9AM-6PM Korea Standard Time
- Japan: 050 3822 4804 (English/Japanese) from 9AM-6PM Japan Standard Times
- Europe: 0800 973 1234 (English/German/French/Italian/Spanish/Russian/Arabic/Dutch) from 9AM-6PM Central European Time
- India: 1 800 122 1234 (English/Hindi/Arabic) from 9AM-6PM India Standard Time
- Southeast Asia: 1 800 888 1234 (English/Tagalog/Korean) from 9AM-6PM Philippine Time
- Pacific: 13 1234 (English) from 9AM-6PM Australian Eastern Standard Time
- United States and Rest of World: +1 855 474 9288 (English) from 7AM-9PM U.S. Central Standard Time
- United States and Rest of World: +1 402 938 3421 (English/Spanish) from 7AM-9PM U.S. Central Standard Time
Sincerely,
Chuck Floyd
Global President of Operations
Hyatt Hotels Corporation
Answers to Frequently Asked Questions
Hyatt’s layers of defense and other cybersecurity measures helped to identify and resolve the issue. While this incident affects a small percentage of total payment cards used at the affected hotels during the at-risk dates, it’s important to Hyatt that they notify you and provide helpful information about steps you can take.
Hyatt has posted this notice with a list of affected hotels and respective at-risk dates for guests of which the company may not have appropriate and reliable contact information.
Please refer to your account statements to see if you used a payment card at one of the affected hotels during a relevant time period. If you believe your payment card was affected or you see any unusual activity on your account statement, you should immediately contact your financial institution.
Working with their leading third-party cyber security experts, Hyatt claims to have resolved the issue and implemented additional security measures to strengthen the security of our systems. Customers can confidently use payment cards at Hyatt hotel properties worldwide.
As always, the primary step you can take is to review your payment card account statements closely and report any unauthorized charges immediately to the company or financial institution which issued your credit card, with whom you should communicate for details because — while financial institutions’ policies related to fraud may vary — payment card rules generally provide that cardholders are not responsible for unauthorized charges reported in a timely manner.
Affected Hotel and Resort Properties
The 41 hotel and resort properties in eleven countries — Guam and Puerto Rico are territories of the United States — which were affected by this particular breach include:
BRAZIL
Grand Hyatt Sao Paulo
CHINA
Hyatt Regency Fuzhou, Cangshan
Grand Hyatt Guangzhou
Park Hyatt Guangzhou
Hyatt Regency Guiyang
Hyatt Regency Hangzhou
Park Hyatt Hangzhou
Hyatt Regency Jinan
Grand Hyatt Lijiang
Hyatt Regency Qingdao
Grand Hyatt Sanya Haitang Bay
Andaz Xintiandi, Shanghai
Grand Hyatt Shanghai
Hyatt on the Bund, Shanghai
Hyatt Regency Chongming in Shanghai
Hyatt Regency Shanghai Wujiaochang in Shanghai
Grand Hyatt Shenzhen
Hyatt Regency Xiamen Wuyuanwan
Hyatt Regency Xi’an
COLOMBIA
Hyatt Regency Cartagena
GUAM
Hyatt Regency Guam
INDIA
Hyatt Place Pune/Hinjawadi
INDONESIA
Grand Hyatt Bali
JAPAN
Andaz Tokyo Toranomon Hills
MALAYSIA
Grand Hyatt Kuala Lumpur
MEXICO
Hyatt Place Celaya
Hyatt Place Tijuana
Hyatt Regency Andares Guadalajara
Andaz Mayakoba in Playa del Carmen
PUERTO RICO
Hyatt Place Manatí
Hyatt Place San Juan
Hyatt Place Bayamón in Dorado
SAUDI ARABIA
Jabal Omar Hyatt Regency Makkah
Park Hyatt Jeddah – Marina, Club and Spa
Hyatt Regency Riyadh Olaya
SOUTH KOREA
Park Hyatt Busan
Hyatt Regency Jeju
Grand Hyatt Seoul
UNITED STATES
Grand Hyatt Kauai Resort and Spa
Hyatt Regency Maui Resort and Spa
Andaz Maui at Wailea Resort
Security Breaches Not Uncommon
Hyatt Hotels Corporation was only one of the lodging companies involved in a security breach of its payment system in 2015 which may be one contributing factor for its Internet web site to have undergone maintenance for four days.
Sadly, security breaches seem to be a way of life more than a mere exception, as these past articles written by me seem to illustrate how serious is this problem of protecting sensitive data from being breached — and it seems that no company is immune:
- Payment Card Data Breach Confirmed by Kimpton Hotels & Restaurants — and What You Can Do
- Miles Stolen; American, United and Delta Frequent Flier Accounts Breached
- Warning: Security Breach of E-Mail Accounts at Various Companies
- Unauthorized Individual Accessed My Hyatt Gold Passport Account?
- Cyber Attack on an Account I Have Not Had in Years?!?
- Breaking News: Many British Airways Executive Club Accounts Locked; Avios Reset to Zero
- My Starwood Account Was Compromised: More Details — and What Happened
- Follow Up: My Telephone Call With a Starwood Representative
- Warning: Your Hilton HHonors Account Can Be Sold for Cents on the Dollar by Thieves
What You Can Do to Mitigate Fraud as a Result of a Security Breach
Unfortunately — in this digitally connected world — there is no sure-fire way to completely insulate yourself from security breaches and possible fraudulent activity using your sensitive information; but you can take measures to at least mitigate the possibility.
Most important is to remain as aware of your financial activity as possible. Review your payment card statements for any unauthorized activity — and if you do find anything questionable about which you are unsure, report it to the issuer of your payment card. No harm is typically done to anyone if the activity proves to be valid — the worst that could happen is that payment is delayed to the merchant — but if the activity proves to be fraudulent, you have given early and timely notice in preventing it from happening further; and you usually are not liable for any damages beyond $50.00 at most.
Similarly, review activity on your credit report as well. You may obtain a complimentary copy of your credit report once every 12 months — as well as place a security freeze on your credit report if necessary — from each of the four nationwide credit reporting companies:
- Equifax PO Box 740241, Atlanta, Georgia 30374, 1-800-685-1111 I know, I know — I get the irony here
- Experian PO Box 2002, Allen, Texas 75013, 1-888-397-3742
- TransUnion PO Box 2000, Chester, Pennsylvania 19016, 1-800-916-8800
- Innovis PO Box 1689, Pittsburgh, Pennsylvania 15230-1689, 1-800-540-2505
If you believe you are the victim of identity theft — or have reason to believe your personal information has been misused — you should immediately contact the Federal Trade Commission or the office of the attorney general in the state where you reside. You can obtain information from these sources about steps you can take to avoid identity theft — as well as information about fraud alerts and security freezes. You should also contact your local law enforcement authorities and file a police report. Obtain a copy of the police report in case you are asked to provide copies to creditors to correct your records. Contact information for the Federal Trade Commission is as follows:
Federal Trade Commission
Consumer Response Center
600 Pennsylvania Avenue, NW
Washington, D.C. 20580
1-877-IDTHEFT 0r 1-877-438-4338
www.ftc.gov/idtheft
Closely scrutinize and review the account statements of the credit card which you used for payment; and if you detect any unauthorized charges, immediately report them to the financial institution which issued your card. Timely reporting of any nefarious activity with your card usually will ensure that you are not responsible for unauthorized charges and therefore will not be required to pay them.
To help reduce the chances of your frequent travel loyalty program account becoming compromised, consider following these steps:
- Do not use your e-mail address as your user name or identification to log into different Internet web sites
- Use a complex password and regularly update it
- Use different credentials — passwords and user names, as two examples — to log in for each of your accounts in different frequent travel loyalty programs
- Always check your account regularly
- Promptly report any potential suspicious activity
Summary
Anyone can say with absolute confidence that this will not be the last time the sensitive data of people or companies will be breached in some way; so being vigilant about protecting your information is of paramount importance — and constant and consistently acute awareness is key to that vigilance.
Again, the recovery process from the results of fraudulent activity can be quite arduous and time-consuming; so preventative measures in protecting your sensitive information from being accessed — or, at least, mitigating any further damaging activity from occurring — is preferable.
Even if you have not been affected by this particular breach, you may want to read this comprehensive article which I wrote pertaining to identity theft and credit card fraud — and what you can do and how to reduce your risk.
Hyatt on the Bund is one of the 41 hotel properties affected by the breach. Please click here for a review of this hotel property. Photograph ©2014 by Brian Cohen.