A widespread malware attack on Hyatt Hotels last year hit about 250 locations worldwide -- with nearly 100 of those in the United States -- according to a list published online late Thursday by the hotel chain, as they shared the latest in their investigation into the breach.
It's the first time the company has released a comprehensive list of the hotels that were impacted by the breach, which was announced in December. The breach came shortly after competitor Starwood hotels told customers they had detected malware in point-of-sale systems at 54 locations.
"Protecting customer information is critically important to Hyatt, and we take the security of customer data very seriously," Chuck Floyd, global president of operations for Hyatt, said in a statement Thursday. "We have been working tirelessly to complete our investigation, and we now have more complete information that we want to share so that customers can take steps to protect themselves. Additionally, we want to assure customers that we took steps to strengthen the security of our systems in order to help prevent this from happening in the future."
Here's what customers who conducted a transaction at a Hyatt last year need to know.
Which Locations Were Hit?
The hotel chain provided a list of the 250 locations it said were impacted by the breach, including the potential dates during which customer information may have been exposed. The unauthorized access mostly occurred between Aug. 13, 2015, and Dec. 8, 2015, the company said. The breach also happened across several Hyatt brands, including the Hyatt Regency, Park Hyatt and Andaz.
What Information Is at Risk?
The hackers appear to have been after cardholder names, card numbers, expiration dates and internal verification codes. It's unclear how many people may have been affected.
The malware was used to mostly infiltrate restaurants inside the hotels, though Hyatt also warned that "a small percentage of the at-risk cards were used at spas, golf shops, parking, and a limited number of front desks, or provided to a sales office during this time period." Customers at a limited number of locations are considered to have been at risk since July 30.
What Has Been Done About the Breach?
In a letter to customers, Floyd said Hyatt worked "quickly with leading third-party cyber security experts to resolve the issue and strengthen the security of our systems" while also notifying authorities and each payment card network.
Customers whose transactions have been flagged as "at risk" should expect to receive either a letter in the mail or an email soon from Hyatt.
Additionally, Hyatt has arranged for CSID to provide one year of CSID’s Protector services to affected customers at no cost to them. CSID is one of the leading providers of fraud detection solutions and technologies. In order to activate CSID’s Protector coverage, affected customers in the U.S. may visit www.csid.com/hyatt-us and affected customers outside the U.S. may visit www.csid.com/hyatt-intl to complete a secure sign-up and enrollment process. You should also review the additional information in the Reference Guide on ways to protect yourself.
What Can Worried Customers Do?
Customers who believe they made a purchase at one of the impacted locations during the dates they were affected should carefully monitor their account statements for any suspicious activity. They can also sign up to received one free year of identity theft and fraud detection services through CSID.