Hyatt Corp., hotel guests are being warned of a credit card breach, the second since December 2015. On Thursday, the hotelier identified 41 of its hotels spread across 13 countries where it confirmed unauthorized access to payment card information.
China is the hardest hit by the breach with 18 hotels impacted. Three U.S. hotels were part of the breach and were each located in Hawaii. Hyatt properties in India, Japan and Saudi Arabia were also impacted.
Hyatt said affected guests are those who had their credit cards manually entered or swiped at the front desk at breached locations between March 18 and July 2.
“Based on our investigation, we understand that such unauthorized access to card data was caused by an insertion of malicious software code from a third party onto certain hotel IT systems,” wrote Chuck Floyd, global president of operations for Hyatt Hotels Corporation, in an open letter to customers posted to its website. “I want to assure you that there is no indication that information beyond that gained from payment cards—cardholder name, card number, expiration date and internal verification code—was involved.”
Floyd said the breaches only impacted “a small percentage of payment cards used by guests who visited the group of affected Hyatt hotels during the time period.” Nevertheless, he assured Hyatt customers that as a result of the attack, Hyatt had implemented measures designed to prevent future attacks. “Guests can feel confident using payment cards at Hyatt hotels worldwide,” he said.
On Dec. 23, 2015, Hyatt suffered a similar breach affecting 250 hotels located in 50 countries. At the time stated it “discovered malicious software designed to steal credit card data on computers that operate the payment processing systems for Hyatt-managed locations.”
In a prepared statement at the time Hyatt stated: “Hyatt has taken steps to strengthen the security of its systems, and customers can feel confident using payment cards at Hyatt hotels worldwide.”
With this latest breach, Hyatt joins a long list hotel chains targeted by hackers seeking credit card data stored on computers. This year alone the InterContinental Hotels Group, the Hard Rock Hotels and Casinos franchise, and the Travel services company Sabre Corp. reported breaches or compromises of their systems. Sabre’s reservation systems are used by nearly 36,000 properties worldwide, according to the company’s website.
Security researchers at Trustwave, in a report published late last year, said the hospitality industry is increasingly being targeted by groups such as the Carbanak cybercrime gang.
Criminals behind the Carbanak gang have shifted their strategy from financial institutions over the past 12 months and are now targeting the hospitality and restaurant industries, Trustwave researchers stated. Researchers said Carbanak criminals have been targeting hospitality call centers with elaborate ploys to get customer service representatives to accept and download emails with malicious macro-laced documents. The ultimate target is credit card data scraped from the memory of point-of-sale systems, it said.
Attacks against hotels by Carbanak have included malicious macros that are booby-trapped with .VBS scripts capable of stealing system information and taking desktop screenshots.