Hyatt Latest Hotel Chain to Disclose Data Breach

Hyatt officials admit that malware infected the chain's systems in 2015. The announcement follows the disclosure of attacks at the Starwood and Hilton chains.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

Hyatt security breach

Hyatt Hotels is the latest hotel chain to admit that it has fallen victim to malware that steals customer information from payment systems. The breach began at some Hyatt locations as early as July 30 and extended until Dec. 15, 2015.

Hyatt has published a list of affected locations, which spans 250 hotels around the world. According to Hyatt, the malware's purpose was to steal credit card data from payment-processing systems and collected cardholder names, card numbers and expiration dates.

"Protecting customer information is critically important to Hyatt, and we take the security of customer data very seriously," Chuck Floyd, global president of operations for Hyatt, said in a statement. "We want to assure customers that we took steps to strengthen the security of our systems in order to help prevent this from happening in the future."

Hyatt is now providing affected customers with free identity-protection services from CSID to help mitigate potential risk for consumers.

The Hyatt breach admission follows other hotel chains that were quicker at disclosing that they were the victims of malware. In late November, Starwood Hotels and Resorts revealed that 54 of its locations were hit by a malware-driven data breach. Starwood owns the Sheraton, Westin, St. Regis and W hotel brands. Hilton Hotels and Resorts publicly admitted in November that it too was breached.

Whether there is a direct link across all the different hotel breaches is not yet known, though security experts eWEEK contacted are not surprised that multiple hotels chains have been attacked.

"Hyatt should certainly have been concerned that they might be vulnerable like Starwood and others were," David Goldschlag, senior vice president of strategy at Pulse Secure, told eWEEK. "Although we don't know whether the specific vulnerability was the same, it appears to have attacked similar functional point-of-sale systems."

Ken Levine, CEO of Digital Guardian, doesn't necessarily think that the Hyatt breach was inevitable, but he's not surprised that attackers targeted Hyatt alongside other hotel chains.

"The current trend for cyber-criminals was moving from retailers and POS systems to large hotels, given the previous breaches on Starwood, Hilton and Marriott," Levine said. "Hyatt would have been a likely candidate on their list."

However, attackers are getting more sophisticated and corporations are not implementing products to stop data exfiltration, Levine said. "Until we prevent data from leaving an organization, which we can do, these incidents will continue," he added.

Large enterprises need to consider security as a primary aspect in new infrastructure they deploy, Goldschlag said, adding that integrating security will continue to be a challenge, as customer-facing businesses continue to aggressively adopt the latest trends, including mobile apps and payments.

"They should also hold their vendors accountable in a more end-to-end manner," Goldschlag said. "That doesn't mean that the enterprise itself isn't ultimately responsible, but the solution owners within an enterprise should demand to understand the capabilities and limitations and best practices recommended by their vendors."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.