In late December, the Hyatt Hotels Corporation announced that they found malware on computers that operate the payment processing systems for Hyatt-managed locations, but offered no details about how long the compromise went on and which hotels have been affected.
On Thursday, the company has finally shared specific details as they have completed the investigation:
“The investigation identified signs of unauthorized access to payment card data from cards used onsite at certain Hyatt-managed locations, primarily at restaurants, between August 13, 2015 and December 8, 2015. A small percentage of the at-risk cards were used at spas, golf shops, parking, and a limited number of front desks, or provided to a sales office during this time period. The at-risk window for a limited number of locations began on or shortly after July 30, 2015.”
The company has provided the list of affected locations, and it is considerable: 318 of the corporation’s 627 properties all over the world have been hit. The at-risk window for each location is included in the list.
The malware collected payment card data – cardholder name, card number, expiration date and internal verification code – and it seems that no other customer information was stolen.
“For at-risk transactions where a cardholder’s name was affected, we are in the process of mailing letters to customers for whom we have a mailing address and sending emails to customers for whom we only have an email address. However, we do not have sufficient information to be able to identify and contact all potentially affected individuals, which is why we encourage customers to reference the list of affected locations and respective at-risk dates,” the company explained.
Customers who have used their payment cards at one of the affected locations in the specific time window they were compromised are advised to keep an eye on their account statements in order to spot any unusual activity and react quickly to prevent fraud.
Hyatt also offered one year of fraud detection services to affected customers for free.
The hospitaly industry has been heavily hit with PoS malware in 2015: The Mandarin Oriental hotel group, Hilton and Trump hotel chains, and Starwood Hotels & Resorts are just some who have shared details about the compromises they suffered.