Hyatt has announced that its payment systems were breached, exposing credit card details from 41 hotel properties in 13 countries, making it the second time it has encountered a breach in the past two years.
In a statement, Hyatt revealed its latest data breach occurred between March 18 and July 2 in properties around the world. According to a notice on Hyatt’s website, hotels in China saw the brunt of the attack, with some 18 properties affected in the Asian nation alone. Three resorts in Hawaii were affected along with one in Puerto Rico and another in Guam.
“[W]e regret to inform you that we discovered signs of and then resolved unauthorized access to payment card information from cards manually entered or swiped at the front desk of certain Hyatt-managed locations,” a message from Hyatt’s global president of operations Chuck Floyd read.
A subsequent forensic investigation with “third-party experts, payment card networks and authorities” lead Hyatt to determine that a malicious software code from a third party was inserted onto hotel IT systems. Hyatt admits that credit card details including cardholder name, card number, expiration date and CVV code were all compromised while insisting that no other information was stolen.
An excerpt from Hyatt’s revelation added:
While we estimate that the incident affected a small percentage of payment cards used by guests who visited the group of affected Hyatt hotels during the at-risk time period, the available information and data does not allow Hyatt to identify each specific payment card that may have been affected.
As a result, the hotel chain is recommending customers to review their payment card account statements.
The breach follows an entirely similar data breach in 2015 when 250 of Hyatt’s hotels in 50 countries were impacted as a result of a data breach due to malware discovered in its payment systems.