Hyatt Hotels Discovers Card Data Breach At 41 Properties Across 11 Countries

Hyatt Hotels has suffered a second card data breach in two years. In the first breach, hackers had gained access to credit card systems at 250 properties in 50 different countries. This time, the breach appears to have impacted 41 properties across 11 countries. Krebs on Security reports: Hyatt said its cyber security team discovered signs of unauthorized access to payment card information from cards manually entered or swiped at the front desk of certain Hyatt-managed locations between March 18, 2017 and July 2, 2017. "Upon discovery, we launched a comprehensive investigation to understand what happened and how this occurred, which included engaging leading third-party experts, payment card networks and authorities," the company said in a statement. "Hyatt's layers of defense and other cybersecurity measures helped to identify and resolve the issue. While this incident affects a small percentage of total payment cards used at the affected hotels during the at-risk dates." The hotel chain said the incident affected payment card information -- cardholder name, card number, expiration date and internal verification code -- from cards manually entered or swiped at the front desk of certain Hyatt-managed locations. It added there is no indication that any other information was involved.

We really need to start using Rust.

How many breaches will it take before we all realize that we need to start using safer programming languages, namely Rust? Rust has been designed from the ground up to be safe. Now I'm not saying that we should immediately rewrite all existing code in Rust . But we need to gradually start using it. I think that all new applications should be written in Rust, and existing ones should be migrated when it is feasible to do so. We really need to focus on safe and secure software, and Rust is the best programming language to help us do that.

Re: We really need to start using Rust.

Agreed. Just a week ago I used rust to reprogram my moms pacemaker. The stupid programmers used this old outdated technique known as assembly and C. I called the company and told them that Rust would fix all the holes, even the one in my moms heart.

Rust is such a great language, it has over 20 years in the business. No other language is as safe as rust is. Rust stops holes before they even start. If everyone programmed in rust there would be 0 exploits in the world. Why can't people see rust is the best? I mean it's so good that if you downplay it or talk negative about it, hacker news and stack exchange will down vote you. That's a testament to how great rust and the community is. Always diligent.

The community is top notch. What other community has a code of conduct? How can people program without codes of conduct? A CoC allows rust to be the best language there is, hands down. How else am I supposed to know how to conduct myself without the rust team of professionals telling me? That's why C/C++ suck so bad. No one knows how to conduct themselves. ;)

Re: We really need to start using Rust.

Whoever down voted this just for a huge fucking whoooooosh over their heads. Fucking idiot snowflakes lol.

Re: We really need to start using Rust.

What other community has a code of conduct?

Node.js, which they use to silence white men and allow women and minorities to engage in racism against white men.

Hyatt has a cyber security team

[turkeydance]

like wow

cash still works

if only you could withdraw enough cash to pay for a night's stay without banking institutions sending flares up to the feds.

Solution

[sit1963nz]

Here's the solution.
Stop collecting and storing data on your customers. If you don't have it, it can NOT be hacked.

Screw your "loyalty program", it does not come free, its just added to the price (as is the admin for it). I am not interested in paying 15% more so I can get the 10th stay free.
If you demand my email address, you will get one, its mine, its legitimate, but its ignored by me except to purge it now and again. Why, because I have had my email address sold/ given out to "select partners" too often and got spammed, so F you all.
I am not there you you to advertise to me, the fact I stayed there once is 99% good luck, you were available and the price was right, nothing more. Spamming me just p!sses me off and makes it LESS likely you will ever see me again. And I sure as hell recommend friends not to stay if you spam me.
So, do you get it. STOP the data collection.

Re:Solution

[Paradise+Pete]

Stop collecting and storing data on your customers. If you don't have it, it can NOT be hacked.

That's why I use Apple Pay whenever I can. The retailer gets no information other than "paid". If I had an Android phone I would use whatever the equivalent is over there. Apple and Google have a lot less chance of being hacked, unlike the near-certainty for so many of these outfits.

Re:Solution

[rtb61]

I would say, beware where you place insecure security cameras. Spying on your reception staff, making sure they are not doing naughty things but don't really care who else logs into those cameras. Well, when you staff checks credit cards and flips them over in front of high definition cameras, any one else who logs in, can also watch your stuff check those credit cards and I'll bet you hooked all those security cameras up together, so head office could spy on all reception staff, all of the time, as could any one else logged into those cameras. What could go wrong with that :|.

Re:Solution

[The123king]

Call me old fashioned, but i either use cash, Paypal or chip-and-pin. If you don't take one of those, you don't get my business.

Contactless/NFC IMHO is so easy to skim, i'd rather not have it at all.

Re:Solution

Chip and Pin is worthless in the US. They can still collect your credit card number. I don't know how many times I have been able to make purchases under a certain $ amount without even needing to enter a pin. And then there are online sales where they will just gladly accept the CC# with no chip/pin validation.

In the US it is a flawed system designed to make stores buy new chip compatible POS terminals if the stores did not want to be liable for fraudulent transactions, it does ZILCH to protect the actual card holder.

Basically a big scam by the POS hardware vendors to sell new hardware and a liability shift from the credit card companies to the stores if they did not purchase said hardware.

Re:Solution

High resolution cameras can't resolve credit card numbers. This isn't CSI, and while there ARE cameras that can do this (with a high quality optical zoom lens), they're not the sort bought for the front desk monitor.

Re:Solution

Stop collecting and storing data on your customers. If you don't have it, it can NOT be hacked.

That's why I use Apple Pay whenever I can. The retailer gets no information other than "paid". If I had an Android phone I would use whatever the equivalent is over there. Apple and Google have a lot less chance of being hacked, unlike the near-certainty for so many of these outfits.

That's not a solution but rather move the problem to somewhere else, namely Apple. The information is still being collected but not at the hotel. Besides, the information is now in one place. Hence, it is not really a solution.

Re:Solution

As a wise man once said: "If you can't protect it, don't collect it"

Re:Solution

[Paradise+Pete]

So you don't think having the information in one place is better than having in many places? I'm not following your logic here. It's not the transaction that's the concern, it's the personal info.

Re:Solution

[Killall+-9+Bash]

Basically a big scam by the POS hardware vendors to sell new hardware and a liability shift from the credit card companies to the stores if they did not purchase said hardware.

PCI-DSS in a nutshell.

My company has a contract with Hyatt...

and my credit card has been replaced five times so far this year. I'm sure not all of them were due to the hotel chain, but it's a damn ridiculous inconvenience. Bank of America closed all of my accounts and my credit card in 2010 after Holiday Inn got hacked so many times. That wrecked my credit so badly that my previously approved home loan got canceled so I lost a $4k deposit. Even worse, the place I lost my deposit on has gone up nearly $250k in value. Holliday Inn's problems cost me over a quarter of a million dollars.

Shock!

[The123king]

Multinational company gets hacked. Loses millions of peoples personal details. More at 11.

Seriously, this is hardly even news any more. And that's hardly a good thing.

Usual PR bollocks.

"Hyatt's layers of defense and other cybersecurity measures helped to identify and resolve the issue."

The data breach happened over a period of 3 and a half months, so Hyatt's "layers of defense" is as useful as a chocolate teapot.

Microsoft Windows strikes again ..

[najajomo]

That article, a bit short on actual technical details :)