The Hyatt hotel chain has released a list of 250 of its hotels that were affected by a malware campaign targeting its customer financial data. While the data breach was exposed in November 2015, it wasn’t brought under control until December and left an unknown number of visitors’ credit card numbers vulnerable. What is slightly worrying is that three Hyatt hotels in Malaysia were also affected.
The malware campaign appears to have been active from 13 August to 8 December, after which Hyatt managed to clean the malware from their systems. It appears to have targeted payment processing systems in restaurants managed by Hyatt, although several spas, golf courses, parking lots, and front desks were also affected. This means that those who merely dropped by the hotel for dinner or used the golf course were potentially exposed to the data theft.
Hyatt has published a list of affected hotels, which includes branches in Malaysia, Singapore, the US, Germany, and China. The Grand Hyatt Kuala Lumpur and Hyatt Regency Kinabalu are both suspected to have been affected by the data breach for almost four months, while the infection at the Hyatt Regency Kuantan Resort only lasted a single month.
The hotel chain is currently sending emails to customers who have been affected by the data breach. The Hyatt says that the malware was designed to steal financial data including cardholder names, card numbers, expiration dates and internal verification codes, which are used onsite to verify transactions.
Anyone who has visited one of the affected Hyatt’s over the past four months should be paying close attention to their credit card statements. There is a possibility that the hackers behind the malware attack could be using the stolen information to purchase things for themselves, although it is more likely that the date is being sold on the black market.
The problem appears to be under control, and the Hyatt says that it is once again safe for customers to use payment cards at its locations. It is also arranging for one year of CSID credit monitoring for all affected customers as an additional precaution. In any case, it might be safer to just cancel the payment card if you receive an email from Hyatt.