Two days before Christmas, Hyatt acknowledged that its payment systems had been infiltrated by cyberthieves.
Details are beginning to fill in the initially sketchy report: on Thursday, Hyatt put out a statement saying that the intrusion likely affected guests at 250 hotels in about 50 countries.
The upshot: if you ate, golfed, had a spa day, parked or stayed at a Hyatt-managed hotel between August 13, 2015 and December 8, 2015, you should probably check your credit card statement for fraudulent charges, since there’s a good chance your card details got slurped.
Hyatt said that its investigation uncovered signs of unauthorized access to payment card data from cards used at certain Hyatt-managed locations, primarily at restaurants.
Hyatt says a “small percentage” of the at-risk cards were used at spas, golf shops, parking, and a limited number of front desks, or provided to a sales office.
In addition, a few locations were targeted on or shortly after July 30, 2015.
Hyatt has put up a list of affected locations and at-risk dates here.
The hotel chain’s investigation found point-of-sale (PoS) malware that it said was designed to collect cardholder names, card numbers, expiration dates and internal verification codes from cards used onsite as the data was being routed through infected payment processing systems.
Apparently, no other customer information was affected.
With its long list of 250 affected hotels worldwide, the Hyatt breach is being called one of the widest-ranging incidents in a rash of hotel PoS attacks.
Other hotels that have been hit include the Mandarin Oriental, which in March confirmed it was probing a potential breach in PoS systems in a small number of properties.
For his part, Republican presidential candidate Donald Trump might well love the idea of putting up a wall to keep out Mexican immigrants, but he apparently couldn’t wall out cybercrooks: the Trump Hotel chain was reportedly drained at least as far back as February and up until at least July 2015.
In February 2014, it was White Lodging, the company behind well-known US hotel chains Hilton, Marriott, Sheraton and Westin, that reported that properties in six US cities had been leaking thousands of guests’ credit and debit card information throughout much of 2013.
According to security journalist Brian Krebs, this rash of PoS fraud boils down to the US dragging its feet on switching from stripe-based credit and debit cards to chip-based cards.
Chip-based cards rely on a microchip embedded in the card, as opposed to the magnetic stripe on the back of nearly all cards used in the US until recently.
The data on that magnetic stripe – known as track data – can easily be copied, stored and later used to create counterfeit cards by writing identical data out onto any similar card with a magnetic stripe.
A chip cards, in contrast, can’t be copied in this way, because some of the data needed to process transactions is stored securely in the chip, and undergoes cryptographic processing internally.
In the US, we’re finally starting to see US retailers installing checkout systems that can process chip-based cards.
However, as Krebs points out, most chip cards also have magnetic stripes, for backwards compatibility, so their track data can still be copied and cloned.
Once chip cards and readers reach a point of wide adoption in the US, will we see a fall-off in the success of vampires who drain PoS systems through malware?
But don’t relax yet: Krebs says he’s expecting a “giant spike” in account hijackings and new-account fraud thanks to fraudsters availing themselves of consumer identity data such as date of birth that’s widely available on the dark web.
Keep your eye on those statements!