Hyatt breach exposed customer payment data at 41 hotels

Hyatt announced today that its payment systems were breached, exposing credit card data from 41 hotels in 11 countries. The hack was discovered in July and the investigation only just recently concluded.

The three U.S. hotels affected were all in Hawaii, with the remaining 38 scattered around the world (China had the most trouble).

In a statement, Hyatt said it “has taken steps to strengthen the security of its systems, and customers can feel confident using payment cards at Hyatt hotels worldwide.”

Wait, no. That’s from the statement it issued when it was hacked in late 2015.

The new statement reads: “we have resolved the issue and implemented additional security measures to strengthen the security of our systems. Customers can confidently use payment cards at Hyatt hotels worldwide.”

If these improvements are anything like the ones they put in two years ago, your confidence is clearly misplaced. Hackers were able to collect credit card numbers, expiration dates, cardholder names, and “internal verification code,” presumably the three-digit one on the back. Only “a small percentage” of cards swiped at the front desk were stolen, but Hyatt did not offer any specific numbers.

Affected customers will have been notified directly if contact info was available, but that’s no guarantee. And the company itself admits that “the available information and data does not allow Hyatt to identify each specific payment card that may have been affected.” So even they don’t know exactly what the extent of the breach is, apparently.

If you swiped a card at any Hyatt property between March 18 and July 2 of this year, you should probably keep an eye out for unauthorized transactions. The 41 hotels listed here are supposedly the only ones affected, but you can never be too careful.