Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hyatt Hotels Payment-Processing Systems Hit By Malware (csoonline.com)

Posted by timothy on from the welcome-to-the-overlook-hotel dept.

itwbennett writes: Hyatt Hotels said Wednesday that it recently identified malware on the computers that run its payment-processing systems. And while Hyatt didn't provide more details on the breach, including how many customers might be affected, the alert to customers asking them to closely check their credit card statements suggests that hackers may have obtained critical credit card information. The breach is the latest in a series of attacks in the hospitality industry, which include Hilton Worldwide, Mandarin Oriental and Starwood Hotels & Resorts Worldwide.

32 comments

  1. Hyatt Hotels hit by malware .. by nickweller · · Score: 1, Insightful

    By any chance was this Payment-Processing System running on Microsoft Windows?

    1. Re:Hyatt Hotels hit by malware .. by sinij · · Score: 1

      Why would it matter? They would be equally screwed in all-Linux shop.

      You don't stop targeted malware at OS level, you stop it at the network level when it attempts to dial home.

    2. Re:Hyatt Hotels hit by malware .. by Anonymous Coward · · Score: 2, Insightful

      And how does that matter? This isn't 1998 anymore. All operating systems have vulnerabilities. All IT teams need to make decisions balancing security, manageability, reliability, cost, etc. All large IT teams have staffs with varying amount of intelligence and dedication. The choice is operating system has so little to do with it anymore. Grow up.

    3. Re:Hyatt Hotels hit by malware .. by ClaraBow · · Score: 1

      How did you come to this quick conclusion? Do you have some insight? If not, then you are trolling.

    4. Re:Hyatt Hotels hit by malware .. by sinij · · Score: 4, Insightful

      'I run Linux, therefore I am secure', which is unstated premise of original post, is not justifiable position position in 2015. Especially when you are dealing with high-value target like payment processing.

    5. Re:Hyatt Hotels hit by malware .. by Anonymous Coward · · Score: 1

      Sorry I have to call bullshit on that. Windows is a closed proprietary system, the absolute last type of system you want to use on a "high-value target like payment processing". You're correct that running Linux is not a panacea; I think few are stating that. But it's been proven that 0-days are patched much more quickly on open source packages than waiting for Patch Tuesday or whatever Microsoft calls it now.

      Most importantly, the closed source vendor may never release a patch to a dangerous flaw...a flaw that you may never have been made aware of!

      Besides, most of these leaks we're seeing in the press appear to be inside jobs. A good question to ask is how many are happening without companies knowing about it. Using proprietary software just amplifies the number of ways that your system can break.

      P.S. Btw, if your security plan is to rely on protecting yourself at the network level then you might as well hang it up, you're fscked. If the bad guys have the upper hand at the OS and application level they can do pretty much whatever they want.

    6. Re:Hyatt Hotels hit by malware .. by Anonymous Coward · · Score: 0

      Hate to burst your bubble, but by far the system used most for high-value targets like payment processing is z/OS, a closed-source proprietary system. And as for Linux, yes, it is possible that a developer will release a patch for a 0-day problem quicker than MS, but no sane shop installs those patches, they wait for their vendor to vet and release them.

    7. Re:Hyatt Hotels hit by malware .. by Anonymous Coward · · Score: 0

      Lets be real here... if top tier companies with billion dollars to throw at security like Sony, Target, and the contractors for the OPM can't stop the bad guys, then how can a hotel do it?

      All this talk about "oh, its network security", "its AD security" is just making bigger sandcastles where the tide is coming in... doesn't matter what time you spend, it gets washed away.

    8. Re:Hyatt Hotels hit by malware .. by UncleTogie · · Score: 1

      But it's been proven that 0-days are patched much more quickly on open source packages than waiting for Patch Tuesday or whatever Microsoft calls it now. Most importantly, the closed source vendor may never release a patch to a dangerous flaw...a flaw that you may never have been made aware of!

      Thank God that open-source means that all code will be reviewed and will never have vulnerabilities. https://en.wikipedia.org/wiki/OpenSSL#Notable_vulnerabilities

      But hey, let's see proof of the OSS movement patching 0-days quicker, please.

      --
      Don't tell me to get a life. I'm a gamer; I have LOTS of lives!
    9. Re:Hyatt Hotels hit by malware .. by Anonymous Coward · · Score: 0

      If you focus on the network, you wind up ignoring other vectors. If you focus on the hosts, you wind up ignoring stuff going on the network.

      The trick is defense in depth. Have the IDS/IPS (which should have been in place because it would have stopped this attack dead in its tracks.) Had AppLocker or some other mechanism for not running signed executables be in place, the malware would not have run. This can be as simple as a -noexec filesystem in Linux.

      However, because a lot of businesses believe that security has no ROI, we will be not just seeing these attacks, but worse ones. This attack will be completely forgotten about in a few months, and long-term breaches do no measurable damage to a company, while paying for decent security does hurt the bottom line.

  2. Directed attacks by houghi · · Score: 1

    This feels as if it was a directed attack. This could mean that the cards read were the cards used, not so much cards that where stored by them.

    Obviously still an issue if that is the case, but if it happened that way, not blatently so. It also could be that it is just the web reservation. That would be worse than the terminals, because website will include cvv code and thus can be used much easier.

    --
    Don't fight for your country, if your country does not fight for you.
  3. Critical credit card information by Anonymous Coward · · Score: 0

    Good thing my credit card isn't critical!

  4. shouldn't this be a solved problem by now? by Anonymous Coward · · Score: 0

    Step 1: Don't put your payment processing system / nuclear reactor C&C / pacemaker on the internet.

    Step 2: Profit.

    1. Re:shouldn't this be a solved problem by now? by sinij · · Score: 2

      How am I suppose to make profit if I can't put my nuclear reactor C&C on the internet?!

    2. Re:shouldn't this be a solved problem by now? by sglewis100 · · Score: 1

      Step 1: Don't put your payment processing system / nuclear reactor C&C / pacemaker on the internet.

      Step 2: Profit.

      I think step 1 cancels step 2. I'd go elsewhere. "Thank you for booking online at Hyatt.com for your discounted, prepaid hotel reservation. Please call 1-800-HYATT in the next 2 hours to secure your room by reading us your credit card number over the phone."

      Payment processing systems need to have links to the Internet. Inbound (yes you can have firewalls and proxy servers in between) to receive payment information and outbound (so you can authorize transactions to your merchant processor).

  5. Constant Leaks by Anonymous Coward · · Score: 1

    In my lifetime I have had my data leaked by (at least) a University I applied to, Home Depot, Target, T-Mobile, and my rental apartments that required a background check. I stayed at the Hyatt for Thanksgiving and recently booked there for a Wedding coming up. Just yesterday I got an email from Chase that my password/email/and phone number on the account was changed. How did they get through my secret pass phrase.... the operator gave them a new one because they knew my SSN (which the fraud dept said wouldn't happen), Capitalone also did this in the past (capitalone even allowed the scammer to make my new passcode question "what is my last name"). So this is the perfect system we have now. Constant leaks that I can't stop and constant attempts to change my cards and add loans. If you get a leak the company gives you 1-2 years of credit watching, because as we all know your SSN is only good for 2 years (sarcasm). You can block your credit for 7 years after a police report but they can still try taking over existing cards. I am sure I am just very unlucky but honestly this is a crazy system that I have to fight to keep my pristine credit. Only when the credit card companies start going after the leaks by charging the companies will we see a change. That or congress' info get leaked and they make a new bill allowing for a simple SSN change.

  6. I worked on that system (almost 20 years ago) by Anonymous Coward · · Score: 1

    At the time, it was a C program running on HP/UX. I'm guessing that they replaced it with a Windows-based system since then.

  7. Panacea: by vikingpower · · Score: 2

    don't use credit cards. I don't. I pay cash. Car rentals, hotels, flights. Besides the fact that I don't incur debt - as "paying" with a credit card is actually paying with borrowed money - no data can be leaked. Sure, I am European and live in Europe. When I slap down € 2000 on the desk of a car rental company, I can drive away with a VW Golf. In the US it's virtually impossible to live without a credit card. Which demonstrates the sickness of the whole system, IMHO.

    --
    Religous speak to God. Insane are spoken to by God. When all shut up, one can finally hear Shostakovich in peace
    1. Re:Panacea: by sglewis100 · · Score: 1

      Stolen cash is reimbursed by your bank at a rate of $0 reimbursed for every $1 lost. Credit cards are reimbursed at $1 to $1. I'm not advocating running up a lot of debt and paying interest, but man, would my business travel be almost impossible without the cards I use (and pay off 100% every month once I get my expense check deposited).

      I'd also miss out on all the great deals, like the 60,000 miles I got for AA, plus priority boarding and free checked bags for using their Citi sponsored card. Try booking a flight, hotel and car without a card. And the companies don't care... yeah they don't get 19% interest off of me, but they still get a few points off the merchant.

      I also found more favorable exchange rates in Europe, speaking of Europe using my card and getting billed direct in € than going through banks and exchange counters.

      Incidentally... hoping that was a typo. € 2000 to rent a car?

    2. Re:Panacea: by vikingpower · · Score: 1

      €2000 = deposit. Also, here in Europe, I can pay in cash for hotels and tickets, no problemo.

      --
      Religous speak to God. Insane are spoken to by God. When all shut up, one can finally hear Shostakovich in peace
    3. Re:Panacea: by Anonymous Coward · · Score: 0

      Go back to bed grampa.

    4. Re:Panacea: by aaarrrgggh · · Score: 1

      That is really poor use of your capital, amped a terrible sense of financial planning. If your weakness is you can't manage your spending without using cash, you should figure out how to deal with that. A credit card can offer rebate points, can have no up-front costs, offers fraud protection, etc. which make it a zero-cost or negative-cost tool.

      Short term debt is financial leverage. If the goods you purchase have the same cost, there is no benefit to using cash.

      Carrying a balance and paying interest though is stupid.

    5. Re:Panacea: by Anonymous Coward · · Score: 0

      you don't sound married

    6. Re:Panacea: by vikingpower · · Score: 1

      Disagree. Expenses such as airline tickets and car rentals are to me, being an independent engineer, things I should be able to finance immediately out of my own pocket. Being able to do so is the result of sane financials. Running up debt for such things, even if it is short-term debt, is an unnecessary complication and inevitably has a cost. Short-term debt is only financial leverage iff it helps to secure a major deal that otherwise I could not have secured. Which has not happened until now. I learned all my financial planning from my mum, who managed to run our 2-children, 2-adult household from the income of a simple beekeeper, paying off the mortgage on a house in the process. Lesson #1: don't run up debts for consumption goods or services, ever. Ever. It has served me well.

      --
      Religous speak to God. Insane are spoken to by God. When all shut up, one can finally hear Shostakovich in peace
    7. Re:Panacea: by vikingpower · · Score: 1

      Ah, and here are lessons #2 and #3. Lesson #2: save 10% of what you earn, if you can (if you can't, save whatever you can ). Lesson #3: only cash and gold are money. A balance on a bank account is not real money. Stock isn't, either. Nor are governments bonds or loans to other people. All these things representmonetary value, and may one day be converted to money. They may also evaporate.

      --
      Religous speak to God. Insane are spoken to by God. When all shut up, one can finally hear Shostakovich in peace
    8. Re:Panacea: by aaarrrgggh · · Score: 1

      While my parents taught me the same things in terms of financial planning, it is still a poor strategy to use only cash. Income, spending, (savings), and financing are different issues. If you defer a cash outflow of $1,000 for 30 days that is $2-10 of interest you could have made. If you get "points" for credit card spending, that is another $10-20. If you think in terms of insuring the cash against theft or loss, that is another $10-20. How much value this has to a person is a function of how much they spend.

      That said, if you can negotiate a $50 savings on that $1,000 transaction for using cash rather than credit it is clearly a better use of capital.

    9. Re:Panacea: by vikingpower · · Score: 1

      Yes. Very often, when offering to pay cash, I can get € 50 off on, say, a €1000 transaction. People don't get to see cash a lot anymore these days, but they sure **love** it. Which is another reason to use cash I have grown so accustomed to I didn't even include it in my list of more formal reasons.

      --
      Religous speak to God. Insane are spoken to by God. When all shut up, one can finally hear Shostakovich in peace
  8. They need to be fined. Heavily. by grahamsaa · · Score: 1

    Until customers aren't the only ones left on the hook in the case of breaches like this, companies like Hyatt aren't going to take security seriously. Sure, they might pony up for credit monitoring, but that does little to actually make customers whole if their identities are stolen or their bank accounts are emptied. If we were to start fining companies like this, say, $10,000 per card number / identity / sensitive detail stolen, I have a feeling these breaches would become far less common. Until we do this, we shouldn't expect Hyatt to care.

    --
    Facts have a liberal bias.
  9. I worked at Starwood Hotels by Anonymous Coward · · Score: 0

    I worked at Starwood Hotels for about a couple years. Their code base is a giant mess. They were going through a period of on-shoring after a disastrous adventure of offshoring. 90% of their developers are contractors from offshore companies, and most of my work was trying to make sense of what the code was and how to mitigate the problems.

    Nothing would compile off the bat, you needed to know the special tricks and turn off every warning there was to get it running on your development box. It was running on Java 1.5, and would only work on IE 6. Bugs begat bugs, and the management was going in conflicting and directions without really knowing how to control the horror that was unfolding.

    That was too bad, the Stamford CT. offices were actually pretty nice and right off the train station where I commuted from Manhattan, it would have been a good place to work if it wasn't a crazy zoo of mediocrity and code that absolutely made no sense and was checked in only because it compiled. I am not at least the bit surprised they are running into these problems with security.

    I will stay in Starwood Properties, the hotels are actually pretty nice. I'd pay cash and give a fake name though. I don't need people getting to my private information when it inevitably gets leaked.

  10. This is not a new song and dance by Anonymous Coward · · Score: 0

    This isn't new, it's a very easy attack vector because a lot of companies don't properly segregate the guest and business network. Making it an easy target for anyone on the guest network.

    https://www.ftc.gov/news-events/blogs/business-blog/2015/08/third-circuit-rules-ftc-v-wyndham-case

    Wyndham was fined by the FCC in the past and I guess they lost their appeal in August of this year.

  11. Re:https://blackcockworship.tumblr.com/ by Anonymous Coward · · Score: 0

    FUCK OFF AND DIE!!!