Hyatt is alerting customers about another credit card breach at some of its hotels – 41 hotels in 11 countries. This is the second major incident with the hospitality chain in as many years. Hyatt said its cybersecurity team discovered signs of unauthorised access to payment card information from cards manually entered or swiped at the front desk of certain Hyatt-managed locations between March 18, 2017 and July 2, 2017. IT security experts are commented below.
Lisa Baergen, Director at NuData Security:
“This event, through the spring and early summer of this year, seems to involve properties in every country in which Hyatt does business. The harvested customer payment card data – including expiration dates and verification codes – is extremely valuable data that will be sold on the Dark Web or used in credit card cycling scams. It’s also easily combined with other stolen data to build entirely new synthetic personas for all manner of fraud.
“It’s imperative that every organisation handling this level of sensitive payment and customer data consider adopting more advanced security measures in the form of multi-layered integrated solutions that include passive behavioural biometrics. The use of passive behaviour detection to immediately and transparently ascertain authentic from fraudulent customers will defy fraudsters and protect brands’ reputations, as well as their customer data.
“The travel and leisure industry – like so many consumer-facing sectors – has time and again shown itself extremely vulnerable to breaches. This latest concerning breach is just one more reason why companies such as Hyatt must adopt more advanced security and authentication measures based on trusted identity, and consumers must diligently, routinely check their credit files for suspicious credit applications and consider freezing their credit profiles.”
Raj Samani, Chief Scientist and Fellow at McAfee:
“Another day and yet another data breach. Despite the ever increasing threat of cybercrime, it seems that many companies are still struggling to properly secure their customers’ data. While the notion of breach fatigue is very real, millions of customers will now be wondering if their personal details are in the hands of criminals – and what kind of impact that might have on them now and in future.
“All organisations, but especially those that hold personally identifiable information, must ensure their security tools are fully integrated with automated monitoring in place. Having the right combination of people, process and technology is vital to effective data protection. It’s often a case of when, not if, systems will be attacked. To stay ahead of criminals, maintain operational efficiency and boost profitability, enterprises must be able to rapidly detect a threat and correct any damage.”
Mike Patterson, Co-founder and CEO at Plixer:
“From this breach, cybercriminals were able to steal the data required to make fraudulent purchases (cardholder names, expiration dates, and internal verification codes). Hyatt is urging all customers to monitor for fraudulent card activity, which indicates they don’t actually know whose data was stolen. Network traffic analytics and historical forensics should be deployed on every network so that when these inevitable data breaches occur, organizations can know what data was stolen and understand specifically who needs to be notified.”
Christian Lees, Chief Information Security Officer at InfoArmor:
“We continue to see threat actors specifically targeting hotels and accessible retail outlets where credit card transactions are both routine and frequent. PII and credit card data continue to be solicited and monetized in underground communities as a simple and viable way to fund further nefarious activity. As long as there is a market demand for this data, there will be those who will work to obtain it and profit from that activity.”