For the second time in two years, global hotel operator Hyatt has been hit by a far-reaching breach of its payment card system. The latest attack involves the financial information of guests who stayed at any one of 41 Hyatt properties in 11 different countries.

In its announcement, Hyatt says that the data that crooks may have obtained includes cardholder names, card numbers, expiration dates, and the internal verification code. The breach affects cards that were physically swiped at the front desk of the hotels, and not cards used for online reservations. Card information was at risk from March to July of 2017.

“While we estimate that the incident affected a small percentage of payment cards used by guests who visited the group of affected Hyatt hotels during the at-risk time period,” the company said in a statement, “the available information and data does not allow Hyatt to identify each specific payment card that may have been affected.”

In other words, Hyatt can tell you whether you stayed in an affected hotel during the period when malware was lurking on its payment systems, but can’t tell you whether your payment information was stolen.

Over at Krebs on Security, where we learned about this breach, Brian Krebs points out that there’s a reason why there have been so many breaches at chain hotels and other hospitality businesses in recent years. Malware-wielding crooks have become very, very good at finding ways into the systems of hotels, resorts, and restaurants.

They’ve developed specialized phishing messages that appear to be from companies in that industry or a business looking to book an event, all with the goal of getting someone to click on a link in an email.

Here’s the list of properties, if you’re curious. If you stayed at any of them, watch your credit card or bank statements carefully, and consider turning on any suspicious payment notification service that your bank might offer.

 

Country/Territory	City	Property
Brazil	Sao Paulo	Grand Hyatt Sao Paulo
China	Fuzhou	Hyatt Regency Fuzhou, Cangshan
China	Guangzhou	Grand Hyatt Guangzhou
China	Guangzhou	Park Hyatt Guangzhou
China	Guiyang	Hyatt Regency Guiyang
China	Hangzhou	Hyatt Regency Hangzhou
China	Hangzhou	Park Hyatt Hangzhou
China	Jinan	Hyatt Regency Jinan
China	Lijiang	Grand Hyatt Lijiang
China	Qingdao	Hyatt Regency Qingdao
China	Sanya	Grand Hyatt Sanya Haitang Bay
China	Shanghai	Andaz Xintiandi, Shanghai
China	Shanghai	Grand Hyatt Shanghai
China	Shanghai	Hyatt on the Bund, Shanghai
China	Shanghai	Hyatt Regency Chongming
China	Shanghai	Hyatt Regency Shanghai Wujiaochang
China	Shenzhen	Grand Hyatt Shenzhen
China	Xiamen	Hyatt Regency Xiamen Wuyuanwan
China	Xi’an	Hyatt Regency Xi’an
China	Cartagena	Hyatt Regency Cartagena
Guam	Tumon	Hyatt Regency Guam
India	Pune	Hyatt Place Pune/Hinjawadi
Indonesia	Bali	Grand Hyatt Bali
Japan	Tokyo	Andaz Tokyo Toranomon Hills
Malaysia	Kuala Lumpur	Grand Hyatt Kuala Lumpur
Mexico	Celaya	Hyatt Place Celaya
Mexico	Playa del Carmen	Andaz Mayakoba
Mexico	Tijuana	Hyatt Place Tijuana
Mexico	Zapopan, Jalisco	Hyatt Regency Andares Guadalajara
Mexico	Dorado	Hyatt Place Bayamón
Mexico	Manatí	Hyatt Place Manatí
Puerto Rico	San Juan	Hyatt Place San Juan
Saudi Arabia	Holy Makkah	Jabal Omar Hyatt Regency Makkah
Saudi Arabia	Jeddah	Park Hyatt Jeddah – Marina, Club and Spa
Saudi Arabia	Riyadh	Hyatt Regency Riyadh Olaya
South Korea	Busan	Park Hyatt Busan
South Korea	Seogwipo-Si	Hyatt Regency Jeju
South Korea	Seoul	Grand Hyatt Seoul
United States	Koloa, HI	Grand Hyatt Kauai Resort and Spa
United States	Lahaina, HI	Hyatt Regency Maui Resort and Spa
United States	Wailea, HI	Andaz Maui at Wailea Resort

 

Hyatt’s number for customers in the United States to call with questions about the breach is 855-474-9288. Numbers to call from other countries are available on the breach announcement page.

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.