Hyatt Confirms 250 Hotels Were Infected With Malware Last Year, Possibly Exposing Customer Payment Data

After announcing late last year that a slew of its hotels had been infected by malware, Hyatt has now identified the 250 properties that were affected — roughly 40% of its businesses in operation. Customers staying at those hotels who paid with a debit or credit card may have had their payment data and other information exposed to hackers, the chain said.

Hyatt doesn’t know how many customers were affected yet, but said that the malware was at work between July and December 2015 within payment-processing systems at its restaurants, spas, front desks, and other areas in its hotels.

Information that possibly was accessed by hackers includes cardholder names, card numbers, and expiration dates, Hyatt said. The malware was found at brands like Park Hyatt, Hyatt Regency, and Andaz, with about 100 U.S. hotels included in the list. The rest were abroad in cities like London, Paris, and Shanghai.

“Protecting customer information is critically important to Hyatt, and we take the security of customer data very seriously,” said Chuck Floyd, global president of operations for Hyatt. “We have been working tirelessly to complete our investigation, and we now have more complete information that we want to share so that customers can take steps to protect themselves. Additionally, we want to assure customers that we took steps to strengthen the security of our systems in order to help prevent this from happening in the future.”

The chain is encouraging customers to review their payment card account statements closely and to report any unauthorized charges to their card issuer immediately. Customers can visit for more information, or call 1-877-218-3036 (U.S. and Canada) and +1-814-201-3665 (International) from 7 a.m. to 9 p.m. EST.

Hyatt has plenty of company in the malware-infected waters: in November, Hilton reported a credit card breach in many of its stores and restaurants, while Starwood reported that payment systems at 54 of its locations had been struck by malicious software.