Hyatt Hotels announced today a point of sale (POS) breach that impacted several dozen of the company's locations between March and July 2017.
The POS systems affected were located at the front desk of 41 properties worldwide, seven located in U.S. territory, the company said in a letter to those possibly affected. Hyatt's internal cybersecurity team picked up on the unauthorized access to the front desk systems where cards were either swiped or manually input by the hotel staff. The compromised payment card information included cardholder name, number, expiration date and internal verification code, Hyatt said.
“Based on our investigation, we understand that such unauthorized access to card data was caused by an insertion of malicious software code from a third party onto certain hotel IT systems,” Hyatt said in the customer letter.
Steve Moore, Exabeam's VP & chief security strategist, gave a hat tip to Hyatt's team for narrowing down where the attack hit, but also noted the fact that the POS computer may have also been the entry way for the malware.
"Several interesting things include the location of affected hotels, specifically China and the fact that the infection point was from “cards manually entered or swiped at the front desk.” In several public cases, adversaries will call the front desk complaining of an issue and send an email with supporting information (containing VBScript or macros that download malware, and continue with password stealing and enabling remote desktop)," he told SC Media in an emailed comment.
The company would not say how many people were potentially affected nor does it know exactly who may have been compromised.
“While we estimate that the incident affected a small percentage of payment cards used by guests who visited the group of affected Hyatt hotels during the at-risk time period, the available information and data does not allow Hyatt to identify each specific payment card that may have been affected,” Hyatt said in a statement.
Instead Hyatt is recommending any customer who visited one of the hotels check their cards for unauthorized charges.
Three of the hotels are in Hawaii, three in Puerto Rico and one in Guam. A complete list of the properties affected can be found here.