Another day, another breach of credit card data. In this case, Hyatt hotels were targeted, this being their second breach in 2 years. Here is part of a message Hyatt sent out and posted on a dedicated website:
We understand the importance of protecting customer information and securing our systems, and we regret to inform you that we discovered signs of and then resolved unauthorized access to payment card information from cards manually entered or swiped at the front desk of certain Hyatt-managed locations between (bolding mine) March 18, 2017 and July 2, 2017. A list of affected hotels and respective at-risk dates is available here.
Last night a friend alerted me to this Krebs on Security post on the topic. From there I compared the dates and looked at my stay history. Sure enough, one of my stays at the Hyatt Regency Riyadh was in the window. I charged this stay to my chip and pin corporate credit card, and to my knowledge, have not seen any suspicious activity. So hopefully, it is a non-issue for me.
Which hotels were affected?
A total of 41 hotels were impacted, mostly outside the US. There are 3 in Hawaii, the Andaz and Hyatt Regency on Maui, and the Grand Hyatt Kauai. Plus 3 Hyatt Place properties in Puerto Rico, and the Hyatt Regency Guam are on the list. Eighteen properties were impacted in China, including the Park Hyatt Hangzhou which I visited last year. A complete listing of impacted properties is available here and below:
Brazil
- Grand Hyatt Sao Paulo
China
- Hyatt Regency Fuzhou, Cangshan
- Grand Hyatt Guangzhou
- Park Hyatt Guangzhou
- Hyatt Regency Guiyang
- Hyatt Regency Hangzhou
- Park Hyatt Hangzhou
- Hyatt Regency Jinan
- Grand Hyatt Lijiang
- Hyatt Regency Qingdao
- Grand Hyatt Sanya Haitang Bay
- Andaz Xintiandi, Shanghai
- Grand Hyatt Shanghai
- Hyatt on the Bund, Shanghai
- Hyatt Regency Chongming
- Hyatt Regency Shanghai Wujiaochang
- Grand Hyatt Shenzzen
- Hyatt Regency Xiamen Wuyuanwan
- Hyatt Regency Xi’an
Colombia
- Hyatt Regency Cartagena
Guam
- Hyatt Regency Guam
India
- Hyatt Place Pune/Hinjawadi
- Indonesia
- Grand Hyatt Bali
Japan
- Andaz Tokyo Toranomon Hills
Malaysia
- Grand Hyatt Kuala Lumpur
Mexico
- Hyatt Place Celaya
- Andaz Mayakoba
- Hyatt Place Tijuana
- Hyatt Regency Andares Guadalajara
Puerto Rico
- Hyatt Place Bayamón
- Hyatt Place Manatí
- Hyatt Place San Juan
Saudi Arabia
- Jabal Omar Hyatt Regency Makkah
- Park Hyatt Jeddah
- Hyatt Regency Riyadh Olaya
South Korea
- Park Hyatt Busan
- Hyatt Regency Jeju
- Grand Hyatt Seoul
United States
- Grand Hyatt Kauai
- Hyatt Regency Maui
- Andaz Maui
I’ve visited several of these properties, but thankfully only one during the breach.
What was stolen?
From Hyatt’s FAQ:
The incident affected payment card information – cardholder name, card number, expiration date and internal verification code – from cards manually entered or swiped at the front desk of certain Hyatt-managed locations. There is no indication that any other information was involved.
What should you do?
If you stayed in Hyatt properties listed above between March 18 and July 2, 2017, be extra vigilant about suspicious charges on your cards. Supposedly Hyatt is going to notify all guests that were impacted by this. I stayed in one of the listed properties during the time period, but I didn’t receive any notification directly from Hyatt. Fortunately, I don’t seem to have any fraudulent charges. Thanks to the post by Krebs, as well as Matthew on this topic, I’m at least aware of the breach.
Did you visit any of these hotels this year?
