The Hyatt Hotel chain has suffered its second breach in a year. Once again customers have had their credit card data stolen. The breach affected 41 hotels and the attacks took place between March 18 and July 2 this year. Hyatt properties in China were affected the most with 18 different hotels attacked.
The attack appears to have been focused on Point Of Sale (POS) and other hotel systems. Hyatt has told customers that only a small percentage of payment cards have been affected. It says that the data stolen includes cardholder name, card number, expiration data and the security code. However, the hackers may have to work a little harder to use the data than normal as the hotel chain says no other data was stolen. This means data of birth, address and other details of customers Hyatt accounts were not taken.
Unlike the Equifax breach, Hyatt appears to have acted quickly to reassure customers. However, the exact date when the company was aware of the breach is not clear. It is also unclear if the breach was caused by a failure to patch systems or a more active attack against a third-party supplier. Given the limited number of properties affected, it is likely that the latter is the cause of the problem.
Hyatt has issued both a statement covering the breach and a page where customers can check, by country, which hotels have been affected. It believes it has also identified all those customers affected and says they have all been contacted. So far, there is no indication that the company is offering credit and fraud monitoring services to those customers.
According to Peter Carlisle, VP EMEA, Thales e-Security: “Companies such as hotel chains that are in possession of a wealth of customer data are increasingly becoming a prime target for hackers, particularly as their approaches become ever more sophisticated.
“Businesses need to ensure that they minimise the damage caused as a result of breaches such as this by having effective and robust cyber security strategies in place. By embracing measures like encryption, tokenisation and key management, stolen personal data can be rendered useless to hackers.”
What does this mean?
Hyatt has been quick to publicly admit the breach of data and has outlined what has been lost. It has not yet completed a full report into the breach and when they have done it is hoped that it will be released. What is interesting is that the company says the breach was detected by its security systems. In addition, it claims the ways its security works has prevented a far more serious breach of the data.
Hotel offers rich pickings to hackers. It is not just the cards and data about guests that they are after. If they can establish who is where and when, they can build highly focused phishing attacks targeting certain guests. Some of the attacks are likely to be simple fraud activity. Others will seek to use those individuals to get access to company systems.
While it is good news that Hyatt detected this attack it will be embarrassed that this is the second breach in a year. The previous breach came through a third-party who managed certain properties. We wait to discover the details of exactly who is at fault this time.