Australians holidayed in Bali and used a credit or debit card at the Hyatt Hotel between March and July may be affected by the hotel chain’s latest payment card breach.
The hotel giant is notifying customers of a breach of payment card information from cards manually entered or swiped at the front desk of 41 Hyatt-managed properties in 11 countries. The dates of the unauthorized access were between March 18 and July 2, 2017.
Bali, a favorite holiday spot for Australian, is the only Hyatt property affected in Indonesia.
Hyatt said the source of the unauthorized access was malware on some hotel IT systems. Compromised data includes the cardholder name, card number, expiration date and internal verification code.
The company estimated a “small percentage” of payment cards were affected during the period, however notes it doesn’t have the information to determine each card affected in the incident. It has advised customers to review their account statements.
“I want to assure you that there is no indication that information beyond that gained from payment cards … was involved, and as a result of implemented measures designed to prevent this from happening in the future, guests can feel confident using payment cards at Hyatt hotels worldwide,” said Chuck Floyd, Hyatt Hotels Corporation’s global president of operations said in the message to customers.
The payment card breach affected 18 Hyatt properties in China, making it the most widely infected target. Only three hotels in Hawaii are in the list of affected US properties. Properties in Brazil, Colombia, Guam, India, Indonesia, Japan, Malaysia, Mexico, Puerto Rico, Saudi Arabia, and South Korea were also affected. A list of all affected hotels is here.
After discovering the breach, Hyatt says it "launched a comprehensive investigation to understand what happened and how this occurred, including engaging leading third-party experts, payment card networks and authorities."
In January last year Hyatt announced that 250 hotel locations in 50 countries were affected by a payment card breach that occurred between August and December 2015. It was also attributed to malware on hotel IT systems designed to capture payment card data.
Hotel chains are a popular target for payment card-focussed malware. In April Intern InterContinental Hotels Group reported cash registers at nearly 1,200 hotels in the Americas were infected with payment card malware, as reported by KrebsOnSecurity at the time.
Hyatt has provided a list of numbers for concerned customers to call. The number for customers in its Pacific region is 13 1234, which is available 9am to 6pm AEST.