The Hyatt Corp. is no stranger to security breaches involving guest credit card data. Back in December 2015, the hotel chain experienced a massive credit card data breach that affected 250 hotels in 50 countries. While Hyatt at the time promised that they had taken significant steps to mitigate the damage and prevent further attacks, they have recently learned the hard way that hackers will always find a way.
As reported by Kaspersky Lab’s Threatpost, the hotel giant suffered another credit card data breach that directly targeted its customers. The breach affects 18 hotels in China, three hotels in the United States (specifically Hawaii), and an undefined number of hotels in India, Japan, and Saudi Arabia. Customers susceptible to the breach are those who stayed at Hyatt properties between March 18 and July 2.
According to Hyatt’s official statement by Chuck Floyd, global president of operations, the attack can be traced to “an insertion of malicious software code from a third party onto certain hotel IT systems.” Floyd went on to state that they estimated that only “a small percentage of payment cards used by guests who visited the group of affected Hyatt hotels during the at-risk time period.” Paradoxically, however, following this declaration Floyd admits that “the available information and data does not allow Hyatt to identify each specific payment card that may have been affected.”
As this is the case, it really isn’t clear as to how many individuals may have been affected by this credit card data breach, so every possible victim should monitor their credit card accounts carefully for unauthorized purchases. Hyatt assured that they have taken measures to prevent this from occurring again, just like in December of 2015, which is an exercise in futility. The threat needs to be understood as something dynamic and adaptable to changes in security, rather than a singular attack method that protocols alone can prevent.
In general, the hospitality industry has been dealing with complex and damaging attacks thanks to one singular network of criminals. As researchers at Trustwave note in an extensive report on the group’s attack methods, a large contingency of the hospitality industry has been targeted by threat actors deemed the “Carbanak gang.” This group is responsible for numerous high-profile incidents, from “stealing over $1 billion dollars from banks in 2015” to “orchestrating an attack on the Oracle Micros POS support site that put over one million Point of Sale systems at risk.” While the most recent attack against Hyatt has not been proven to be the Carbanak gang, it wouldn’t be far-fetched to believe that they could easily pull it off.
No matter who is pulling off the attacks, hotel chains need to brace for more cyberattacks in the future. As these previous breaches have shown, the attacks are quite effective, and until they are somehow prevented at a higher rate, they will continue to occur.
Photo credit: Wikimedia