Hyatt suffers second data breach in two years

The Hyatt Regency Maui Resort and Spa is among those affected by the latest breach.

Hyatt Hotels Corporation revealed last week it suffered a breach of its payment systems, exposing customer credit card data from 41 hotels in 11 countries worldwide. It took Hyatt nearly three months to inform customers about the breach, which was discovered in July. The breach impacts customers who used credit cards at affected hotels from March 18 to July 2.

Based on Hyatt’s investigation into the breach, it appears that malicious software code from a third party was inserted onto certain hotel information technology systems. A list of impacted hotels can be found here. In total, 41 hotels are affected, almost half of which are in China. Irregular activity has also been detected in Hyatt hotels in Brazil, Columbia, Guam, India, Indonesia, Japan, Mexico, Puerto Rico, South Korea, and Hawaii.

In a statement, Chuck Floyd, global president of operations for Hyatt Hotels said, “I want to assure you that there is no indication that information beyond that gained from payment cards—cardholder name, card number, expiration date and internal verification code—was involved, and as a result of implemented measures designed to prevent this from happening in the future, guests can feel confident using payment cards at Hyatt hotels worldwide.”

Back in 2016, Hyatt disclosed a breach of payment cards that affected 250 hotels in approximately 50 countries, making it one of the most wide-ranging incidents in a rash of hotel cyberattacks. Also that year Hilton, Mandarin Oriental, Trump Hotels and Starwood Hotels & Resorts Worldwide were affected by hacker attacks.

Hyatt isn’t the only major hotel company to have suffered a data breach in recent months. Most recently, a data breach at third-party hotel-reservations provider Sabre impacted multiple hotels, including those from Four Seasons Hotels and Resorts, Trump Hotels, Kimpton Hotels & Restaurants and RLH CorporationInterContinental Hotels Group also has announced two data breaches this year.