After reporting in December that it had found malware on the computers operating the company's payment processing systems, Hyatt listed 250 hotels that could have exposed information stored on the payment cards, including cardholder names, payment card numbers and internal verification codes and expiration dates.
The malware, which the hotel's investigation showed was on the system starting in July, was discovered on 30 November as part of normal IT operations.
“The investigation identified signs of unauthorised access to payment card data from cards used onsite at certain Hyatt-managed locations, primarily at restaurants, between 13 August 2015 and 8 December 2015,” the company said in a statement.
“A small percentage of the at-risk cards were used at spas, golf shops, parking, and a limited number of front desks, or provided to a sales office during this time period. The at-risk window for a limited number of locations began on or shortly after 30 July 2015.”
The company said that once the malware was discovered it “worked quickly” with third-party security pros to investigate the malware, which it said grabbed “the data was being routed through affected payment processing systems”.
“Though it is common to see malware capture credit cards at the time of the swipe, in this instance, the malware collected card data while it was being routed through the affected payment processing systems, according to Hyatt's statement,” Brad Cyprus, chief of security and compliance at Netsurion, said in comments emailed to SCMagazine.com.
“2016 is picking up right where we left off last year, with more evidence of the IT security threat the hospitality industry is facing.”
Noting that hospitality companies “face extraordinary challenges” to protect data at the point-of-sale (POS) because “card-on-file transactions are common” so card data is “stored longer than typical,” Mark Bower, global director of product management, enterprise data security for HPE Security, in comments emailed to SCMagazine.com, said,
“It appears a good portion of breached data came from the restaurant side of the hotel chain's facilities” which use “integrated POS environments running applications in an environment that is not as secure as modern hardened payment terminals designed to capture payment data and implement encryption independent from the POS itself”.
Hyatt does not believe any other information was exposed, but urged customers to keep an eye on payment card activity. The hotel chain has started sending notifications “for at-risk transactions where a cardholder's name was affected”. The company will provide a year of CSID Protector services to those affected.
Twistlock chief strategy officer Dr. Chenxi Wang noted in comments emailed to SCMagazine.com, that while few details have emerged “Hyatt will have to show the world whether it was using state-of-the-art encryption, data masking, and secure communications methods. I will not be surprised that some parts of their systems were to be found with lacklustre security”.
The breach raised questions at to whether “Hyatt was deemed PCI-compliant at the time”, mused Wang. “Clearly they failed to protect customers' payment data,” she said, noting the growing resourcefulness of cybercriminals.
The incident should also serve as a wakeup call to the industry to get security in hand. “In the new year, these businesses, from individually owned hotels to large, national chains, should resolve to strengthen security postures,” said Cyprus.
“Many quick service and restaurant organisations have implemented newer data-centric security in these platforms by the addition of new card reading systems which encrypt the data before it arrives into the POS itself,” Bower said. “Given the need to update the POS to handle EMV chip cards, the addition of encryption to protect the sensitive data from all forms of payment card is a no-brainer.”
With encryption in play if a POS is compromised, then “the attackers get nothing" he said. “This data-centric approach is realistically the only way to avoid POS malware impact.”
And Wang called for the PCI Council as well as the whole industry “to raise the bar for minimal acceptable protection standards to protect consumer data".