Skip to content
Naked Security Naked Security

Hyatt says 250 hotels were drained of credit card details

If you ate, golfed, had a spa day, parked or stayed at a Hyatt-managed hotel between August and December 2015, there's a good chance your card details got slurped.

Two days before Christmas, Hyatt acknowledged that its payment systems had been infiltrated by cyberthieves.

Details are beginning to fill in the initially sketchy report: on Thursday, Hyatt put out a statement saying that the intrusion likely affected guests at 250 hotels in about 50 countries.

The upshot: if you ate, golfed, had a spa day, parked or stayed at a Hyatt-managed hotel between August 13, 2015 and December 8, 2015, you should probably check your credit card statement for fraudulent charges, since there’s a good chance your card details got slurped.

Hyatt said that its investigation uncovered signs of unauthorized access to payment card data from cards used at certain Hyatt-managed locations, primarily at restaurants.

Hyatt says a “small percentage” of the at-risk cards were used at spas, golf shops, parking, and a limited number of front desks, or provided to a sales office.

In addition, a few locations were targeted on or shortly after July 30, 2015.

Hyatt has put up a list of affected locations and at-risk dates here.

The hotel chain’s investigation found point-of-sale (PoS) malware that it said was designed to collect cardholder names, card numbers, expiration dates and internal verification codes from cards used onsite as the data was being routed through infected payment processing systems.

Apparently, no other customer information was affected.

With its long list of 250 affected hotels worldwide, the Hyatt breach is being called one of the widest-ranging incidents in a rash of hotel PoS attacks.

Other hotels that have been hit include the Mandarin Oriental, which in March confirmed it was probing a potential breach in PoS systems in a small number of properties.

For his part, Republican presidential candidate Donald Trump might well love the idea of putting up a wall to keep out Mexican immigrants, but he apparently couldn’t wall out cybercrooks: the Trump Hotel chain was reportedly drained at least as far back as February and up until at least July 2015.

In February 2014, it was White Lodging, the company behind well-known US hotel chains Hilton, Marriott, Sheraton and Westin, that reported that properties in six US cities had been leaking thousands of guests’ credit and debit card information throughout much of 2013.

According to security journalist Brian Krebs, this rash of PoS fraud boils down to the US dragging its feet on switching from stripe-based credit and debit cards to chip-based cards.

Chip-based cards rely on a microchip embedded in the card, as opposed to the magnetic stripe on the back of nearly all cards used in the US until recently.

The data on that magnetic stripe – known as track data – can easily be copied, stored and later used to create counterfeit cards by writing identical data out onto any similar card with a magnetic stripe.

A chip cards, in contrast, can’t be copied in this way, because some of the data needed to process transactions is stored securely in the chip, and undergoes cryptographic processing internally.

In the US, we’re finally starting to see US retailers installing checkout systems that can process chip-based cards.

However, as Krebs points out, most chip cards also have magnetic stripes, for backwards compatibility, so their track data can still be copied and cloned.

Once chip cards and readers reach a point of wide adoption in the US, will we see a fall-off in the success of vampires who drain PoS systems through malware?


But don’t relax yet: Krebs says he’s expecting a “giant spike” in account hijackings and new-account fraud thanks to fraudsters availing themselves of consumer identity data such as date of birth that’s widely available on the dark web.

Keep your eye on those statements!


When these events happen the news always suggests checking statements for fraudulent charges which is certainly a smart idea. However, a more proactive approach is to set a limit on charges so that you get a text or email when the dollar value us exceeded. You would know sooner, rather than later, if something was amiss.


Of course, cheking your statements helps you spot any sort of fraudulent activity, even for tiny amounts (which might be a precursor to something worse), while the limit-based approach means that the crooks have to spend more than your limit before you notice.

(Many banks outside the US offer SMS messaging for *all* transactions, including ATM withdrawals, which is an even more immediate way of trakcing tour statements…)


Was the political jab necessary? It added nothing to the article other than show the author’s political bias, which has nothing to do with payment breaches. Please keep to the facts and not skewed opinions on which political candidates perform infosec work.


Assuming you mean the mention of Mr Trump…I am not sure where the “skewed opinions” are. (I also can’t figure out what your last sentence means. I’m not sure whether “work” is meant to be a noun or a verb.)


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!