Hyatt Breach Affected 250 Hotels Worldwide

by Sarah Grotta 0

The announcement that Hyatt was the latest in the continuing string of significant payment data breaches. Similar to other events like this, the data was stolen over a period of several months:

The investigation found that the attackers used malware to collected cardholder names, card numbers, expiration dates and verification codes from systems at a total of 250 hotels worldwide — a list of affected hotels can be viewed here.

The investigation identified signs of unauthorized access to payment card data from cards used onsite at certain Hyatt-managed locations, primarily at restaurants, between August 13, 2015 and December 8, 2015,” Chuck Floyd, Hyatt global president of operations, said in a statement.

What is different about hotel operations is that many transactions are executed using card on file data that, in this case, was clearly compromised. Also, what complicates the process here is that many full service hotels are really operating several businesses including small shops, spas, plus bars and restaurants. Bars and restaurants have been particularly slow to adopt to EMV readers and other forms of data protection since on a standalone basis, they provide less financial benefit. Restaurants and bars don’t see a lot of compromised card fraud. In this scenario, the business case is different and at least for Hyatt, had far reaching implications, requiring a re-examination of the business model.

In this article regarding the Hyatt event, Mark Bower, global director of product management for enterprise data security at HPE Security – Data Security, provided background on the consideration of combining both EMV and encryption:

“Many organizations have improved POS security with new card reading systems that encrypt the data before it arrives at the POS. “Given the need to update the POS to handle EMV chip cards, the addition of encryption to protect the sensitive data from all forms of payment card is a no-brainer,” he said. “If the POS is compromised with this approach, the attackers get nothing. This data-centric approach is realistically the only way to avoid POS malware impact. Traditional approaches of monitoring and anti-virus will only be effective until the next undetectable malware arrives.”

Overview by Sarah Grotta, Director, Debit Advisory Service at Mercator Advisory Group

Read the full story here