For the second time in two years, global hotel operator Hyatt has been hit by a far-reaching breach of its payment card system. This Hyatt Breach involves the financial information of guests who stayed at any one of 41 Hyatt properties in 11 different countries.
In its announcement, Hyatt says that the data that crooks may have obtained includes cardholder names, card numbers, expiration dates, and the internal verification code. The breach affects cards that were physically swiped at the front desk of the hotels, and not cards used for online reservations. Card information was at risk from March to July of 2017.
“While we estimate that the incident affected a small percentage of payment cards used by guests who visited the group of affected Hyatt hotels during the at-risk time period,” the company said in a statement, “the available information and data does not allow Hyatt to identify each specific payment card that may have been affected.”
In other words, Hyatt can tell you whether you stayed in an affected hotel during the period when malware was lurking on its payment systems, but can’t tell you whether your payment information was stolen.
Over at Krebs on Security, where we learned about this breach, Brian Krebs points out that there’s a reason why there have been so many breaches at chain hotels and other hospitality businesses in recent years. Malware-wielding crooks have become very, very good at finding ways into the systems of hotels, resorts, and restaurants.
They’ve developed specialized phishing messages that appear to be from companies in that industry or a business looking to book an event, all with the goal of getting someone to click on a link in an email.
Here’s the list of properties, if you’re curious. If you stayed at any of them, watch your credit card or bank statements carefully, and consider turning on any suspicious payment notification service that your bank might offer.
|Brazil||Sao Paulo||Grand Hyatt Sao Paulo|
|China||Fuzhou||Hyatt Regency Fuzhou, Cangshan|
|China||Guangzhou||Grand Hyatt Guangzhou|
|China||Guangzhou||Park Hyatt Guangzhou|
|China||Guiyang||Hyatt Regency Guiyang|
|China||Hangzhou||Hyatt Regency Hangzhou|
|China||Hangzhou||Park Hyatt Hangzhou|
|China||Jinan||Hyatt Regency Jinan|
|China||Lijiang||Grand Hyatt Lijiang|
|China||Qingdao||Hyatt Regency Qingdao|
|China||Sanya||Grand Hyatt Sanya Haitang Bay|
|China||Shanghai||Andaz Xintiandi, Shanghai|
|China||Shanghai||Grand Hyatt Shanghai|
|China||Shanghai||Hyatt on the Bund, Shanghai|
|China||Shanghai||Hyatt Regency Chongming|
|China||Shanghai||Hyatt Regency Shanghai Wujiaochang|
|China||Shenzhen||Grand Hyatt Shenzhen|
|China||Xiamen||Hyatt Regency Xiamen Wuyuanwan|
|China||Xi’an||Hyatt Regency Xi’an|
|China||Cartagena||Hyatt Regency Cartagena|
|Guam||Tumon||Hyatt Regency Guam|
|India||Pune||Hyatt Place Pune/Hinjawadi|
|Indonesia||Bali||Grand Hyatt Bali|
|Japan||Tokyo||Andaz Tokyo Toranomon Hills|
|Malaysia||Kuala Lumpur||Grand Hyatt Kuala Lumpur|
|Mexico||Celaya||Hyatt Place Celaya|
|Mexico||Playa del Carmen||Andaz Mayakoba|
|Mexico||Tijuana||Hyatt Place Tijuana|
|Mexico||Zapopan, Jalisco||Hyatt Regency Andares Guadalajara|
|Mexico||Dorado||Hyatt Place Bayamón|
|Mexico||Manatí||Hyatt Place Manatí|
|Puerto Rico||San Juan||Hyatt Place San Juan|
|Saudi Arabia||Holy Makkah||Jabal Omar Hyatt Regency Makkah|
|Saudi Arabia||Jeddah||Park Hyatt Jeddah – Marina, Club and Spa|
|Saudi Arabia||Riyadh||Hyatt Regency Riyadh Olaya|
|South Korea||Busan||Park Hyatt Busan|
|South Korea||Seogwipo-Si||Hyatt Regency Jeju|
|South Korea||Seoul||Grand Hyatt Seoul|
|United States||Koloa, HI||Grand Hyatt Kauai Resort and Spa|
|United States||Lahaina, HI||Hyatt Regency Maui Resort and Spa|
|United States||Wailea, HI||Andaz Maui at Wailea Resort|
Hyatt’s number for customers in the United States to call with questions about the breach is 855-474-9288. Numbers to call from other countries are available on the breach announcement page.
If you, or someone you know, has been affected by this breach please contact us and tell us immediately! We can be reached on our online complaint portal, our fraud alert monitoring system, or directly by email at firstname.lastname@example.org.