If it's not that, then the blanket, no-advance notice lock-out would seem to be overkill of the "out of an abundance of caution" sort.

Since Hyatt doesn't use CAPTCHAs or other such "anti-robot" checks against automated password guesses, how many times could someone try to guess a password before the account would be locked from being accessed?

Between user names of some sorts being very obvious and a substantial percentage of passwords and PINs being easily predictable, I would have expected more than a couple of accounts to be vulnerable.