This Week in Breaches: Hyatt Hotels

In late November of last year, Hyatt acknowledged that malware affecting credit card payment data had been found within their systems. An investigation was launched with third party security companies Mandiant and Kroll, and a public announcement of the breach was made on December 23, 2015. [i]

The investigation concluded on January 14, 2016 and has been reported that 250 hotels and resorts across 50 countries have been affected, including Canada and the United States.  The affected Canadian locations are listed below.

Calgary Hyatt Regency Calgary 8/13/2015 – 12/8/2015
Montreal Hyatt Regency Montreal 8/13/2015 – 12/8/2015
Toronto Hyatt Regency Toronto 8/13/2015 – 12/8/2015
Toronto Park Hyatt Toronto 8/13/2015 – 12/8/2015
Vancouver Hyatt Regency Vancouver 8/13/2015 – 10/14/2015

The source of these information breaches have centralized around payments that were made at the Hyatt restaurants between August 13, 2015 and December 8, 2015. As well, a smaller percentage of amenities including spas, golf shops, parking and some front desks/sales offices had at-risk cards used between these dates. The full list of affected locations can be found here.

The investigation reported that the malware collected the data from cards being used on site, rather than online transactions – enabling the hackers to obtain sensitive data like cardholder names, card numbers, expiration dates and the internal verification codes.

This wasn’t the only hotel chain to report a data breach in the past year.  POS Malware was also found in the following hotels:

Trump Hotels affecting North American cardholders between May of 2014 to June of 2015

Starwood Hotels affecting North American cardholders between November of 2014 to May of 2015

Hilton Hotels affecting cardholders internationally, intermittent through 2014 to 2015.

Here are some key recommendations from our team of experts for ensuring your POS systems are secure and safe:

  • Keeping POS software up to date and performing vulnerability testing
  • Restrict internet access from POS systems and terminals
  • Monitor POS systems and all data activity
  • Use secure (and consistently updating) passwords and 2-factor authentication
  • End-to-end encryption for all POS data
  • Install firewalls and run anti-malware software
  • Don’t forget about physical security – train employees to be on the lookout for tampering attempts!

The last thing a customer, who is either travelling for business, or a relaxing vacation, needs is to have their personal information stolen.

Connect with Secure Sense to protect data, your network, and systems 24/7, 365 days a year. If you have questions or want to learn more, please contact your Secure Sense by calling 866-999-7506.

Please connect with Secure Sense on LinkedIn and follow us on Twitter  for current company and industry news.

[i] For further information on the Hyatt breach read here: