Hyatt Reports Another Payment Card Breach Affecting 41 Hotels In 11 Countries

Image courtesy of Yvette Wohn

For the second time in two years, global hotel operator Hyatt has been hit by a far-reaching breach of its payment card system. The latest attack involves the financial information of guests who stayed at any one of 41 Hyatt properties in 11 different countries.

In its announcement, Hyatt says that the data that crooks may have obtained includes cardholder names, card numbers, expiration dates, and the internal verification code. The breach affects cards that were physically swiped at the front desk of the hotels, and not cards used for online reservations. Card information was at risk from March to July of 2017.

“While we estimate that the incident affected a small percentage of payment cards used by guests who visited the group of affected Hyatt hotels during the at-risk time period,” the company said in a statement, “the available information and data does not allow Hyatt to identify each specific payment card that may have been affected.”

In other words, Hyatt can tell you whether you stayed in an affected hotel during the period when malware was lurking on its payment systems, but can’t tell you whether your payment information was stolen.

Over at Krebs on Security, where we learned about this breach, Brian Krebs points out that there’s a reason why there have been so many breaches at chain hotels and other hospitality businesses in recent years. Malware-wielding crooks have become very, very good at finding ways into the systems of hotels, resorts, and restaurants.

They’ve developed specialized phishing messages that appear to be from companies in that industry or a business looking to book an event, all with the goal of getting someone to click on a link in an email.

Here’s the list of properties, if you’re curious. If you stayed at any of them, watch your credit card or bank statements carefully, and consider turning on any suspicious payment notification service that your bank might offer.

 

Country/Territory City Property
Brazil Sao Paulo Grand Hyatt Sao Paulo
China Fuzhou Hyatt Regency Fuzhou, Cangshan
China Guangzhou Grand Hyatt Guangzhou
China Guangzhou Park Hyatt Guangzhou
China Guiyang Hyatt Regency Guiyang
China Hangzhou Hyatt Regency Hangzhou
China Hangzhou Park Hyatt Hangzhou
China Jinan Hyatt Regency Jinan
China Lijiang Grand Hyatt Lijiang
China Qingdao Hyatt Regency Qingdao
China Sanya Grand Hyatt Sanya Haitang Bay
China Shanghai Andaz Xintiandi, Shanghai
China Shanghai Grand Hyatt Shanghai
China Shanghai Hyatt on the Bund, Shanghai
China Shanghai Hyatt Regency Chongming
China Shanghai Hyatt Regency Shanghai Wujiaochang
China Shenzhen Grand Hyatt Shenzhen
China Xiamen Hyatt Regency Xiamen Wuyuanwan
China Xi’an Hyatt Regency Xi’an
China Cartagena Hyatt Regency Cartagena
Guam Tumon Hyatt Regency Guam
India Pune Hyatt Place Pune/Hinjawadi
Indonesia Bali Grand Hyatt Bali
Japan Tokyo Andaz Tokyo Toranomon Hills
Malaysia Kuala Lumpur Grand Hyatt Kuala Lumpur
Mexico Celaya Hyatt Place Celaya
Mexico Playa del Carmen Andaz Mayakoba
Mexico Tijuana Hyatt Place Tijuana
Mexico Zapopan, Jalisco Hyatt Regency Andares Guadalajara
Mexico Dorado Hyatt Place Bayamón
Mexico Manatí Hyatt Place Manatí
Puerto Rico San Juan Hyatt Place San Juan
Saudi Arabia Holy Makkah Jabal Omar Hyatt Regency Makkah
Saudi Arabia Jeddah Park Hyatt Jeddah – Marina, Club and Spa
Saudi Arabia Riyadh Hyatt Regency Riyadh Olaya
South Korea Busan Park Hyatt Busan
South Korea Seogwipo-Si Hyatt Regency Jeju
South Korea Seoul Grand Hyatt Seoul
United States Koloa, HI Grand Hyatt Kauai Resort and Spa
United States Lahaina, HI Hyatt Regency Maui Resort and Spa
United States Wailea, HI Andaz Maui at Wailea Resort

 

Hyatt’s number for customers in the United States to call with questions about the breach is 855-474-9288. Numbers to call from other countries are available on the breach announcement page.