Uh Oh: Hyatt Reveals Credit Card Breach

Chuck Floyd, Global President of Operations of Hyatt, just sent out an email to Hyatt guests noting a credit card breach that occurred earlier this year.

Importantly:

Breach took place between March 18, 2017 and July 02, 2017
11 countries (including the USA and two territories) were impacted
Only credit card info (including CID/CVV) was compromised
Hyatt is offering guests free credit monitoring

Here’s the full letter:

Dear Hyatt Guest,

What Happened
We understand the importance of protecting customer information and securing our systems, and we regret to inform you that we self-discovered signs of and resolved unauthorized access to payment card information from cards manually entered or swiped at the front desk of certain Hyatt-managed locations between March 18, 2017 and July 2, 2017.

What Information Was Involved
I want to assure you that there is no indication that information beyond that gained from payment cards – cardholder name, card number, expiration date and internal verification code – was involved.

What We Are Doing
Upon discovery, we launched a comprehensive investigation to understand what happened and how this occurred, including engaging leading third-party experts, payment card networks and authorities. Our enhanced cybersecurity measures and additional layers of defense implemented over time helped to identify and resolve the issue. As a result of measures we have taken to prevent this from happening in the future, guests can feel confident using payment cards at Hyatt hotels worldwide.

What You Can Do
We estimate that the incident affected a small percentage of payment cards used by guests who visited the group of affected Hyatt hotels during the at-risk time period, but the available information and data does not allow Hyatt to identify the specific payment cards that may have been affected. It’s important to Hyatt that we notify our guests and provide helpful information about steps you can take, and you are receiving this communication because you have been identified as a guest who checked in to an affected hotel during the at-risk time period. As always, the primary step customers can take is to review their payment card account statements closely and report any unauthorized charges to their card issuer immediately.

For More Information
For frequently asked questions and a list of affected hotels and respective at-risk dates, please visit hyatt.com/protectingourcustomers. If you have questions or would like more information, please call +1-855-474-9288 (English) or +1-402-938-3421 (Spanish/English) from 7:00 a.m. to 9:00 p.m. CST.

We sincerely regret that this incident occurred and apologize for any inconvenience or concern this may cause you.

Sincerely,

Chuck Floyd
Global President of Operations
Hyatt Hotels Corporation

Which Hyatt Hotels Were Breached?

Hyatt provides a full list of hotels breached here.

Hotels in the USA include:

Koloa, HI // Grand Hyatt Kauai Resort and Spa // March 18, 2017 to July 2, 2017
Lahaina, HI // Hyatt Regency Maui Resort and Spa // March 18, 2017 to July 2, 2017
Wailea, HI // Andaz Maui at Wailea Resort // March 18, 2017 to July 2, 2017

U.S. territories in Guam and Puerto Rico were also affected.

Other nations include:

Brazil
China
Colombia
India
Indonesia
Japan
Malaysia
Mexico
Saudia Arabia
South Korea

CONCLUSION

Thanks to robust credit card protections against fraud, most customers are unlikely to be negatively affected by this news. Still, it is always concerning (in light of the Equifax breach) how easy it is to intercept sensitive information.