Payment Card Incident Investigation Complete
 

Dear FlyerTalkers,

As you know, we have been working tirelessly to complete our previously announced investigation regarding malware that targeted payment card data used at Hyatt-managed locations. Protecting customer information is critically important to Hyatt, and we now have more complete information we want to share so that you can take steps to protect yourself.

The investigation identified signs of unauthorized access to payment card data from cards used onsite at certain Hyatt-managed locations, primarily at restaurants, between August 13, 2015 and December 8, 2015. A small percentage of the at-risk cards were used at spas, golf shops, parking, and a limited number of front desks, or provided to a sales office during this time period. The at-risk window for a limited number of locations began on or shortly after July 30, 2015.

The malware was designed to collect payment card data – cardholder name, card number, expiration date and internal verification code – from cards used onsite as the data was being routed through affected payment processing systems. There is no indication that other customer information was affected.

Details, including the list of affected Hyatt locations and respective at-risk dates, are available at www.hyatt.com/protectingourcustomers.

Please be assured that the issue has been resolved, the security of our systems has been strengthened, and – as previously shared – you can confidently use payment cards at Hyatt hotels worldwide.

Customers should review their payment card account statements closely and report any unauthorized charges to their card issuer immediately. Additionally, Hyatt has arranged for CSID to provide one year of CSID’s Protector services to affected customers at no cost to them.

If you have questions or would like more information, please call 1-877-218-3036 (U.S. and Canada) or +1-814-201-3665 (International) from 7 a.m. to 9 p.m. EST.

We deeply regret the inconvenience and any concern this may have caused you, and we thank you for your continuing support of Hyatt.

Sincerely,

Chuck Floyd
Global President of Operations

Thanks for the update. ^

Whew... I feel all better now.

Hotel list seem to indicate that most domestic full service properties were affected (not all) and no domestic Hyatt Place or Hyatt house properties were affected.

Edit: this announcement comes pretty late with the issue being brought up on 12/23 in a thread that I just locked for housekeeping purposes so we don't have 2 threads running discussing the same issue.

I was under the false impression that I could confidently use my payment card during my stay at a Hyatt hotel back in mid-October of last year.

You can always confidently use your credit card...provided that none of the hundreds of people and systems that you show it to throughout the course of a year decide to make off with the information.

It would be good if the hotels (and dates) on the list where one needs to worry about having used a credit card at the front desk were listed separately.

Yes, hotels where the front desk was compromised should be flagged somehow. A separate list would be good, but an indicator of some sort is completely appropriate. This omission indicates that Hyatt is not thinking of this from a customer's point of view.

I'm trying to figure out why it matters? These days, I think it's safe to assume that your credit card is at risk everywhere and take advantage of the offer.

It would have been nice for them to send emails to those affected. Not good!

Bottom line: four months of abuse and another five weeks to produce a notice.

Contacted the Park Hyatt Tokyo directly, as I believed that they might have more specific information about what was affected at their own hotel, but they brusquely directed me back to the above Hyatt contact. Thought they would be a little more sensitive towards customers that they might have gravely inconvenienced. :td:

So of course I went to my online GP activity only to see that GP is having a technical problem reproducing the list of stays during the time period to cross match with the list of hotels effected. I'm sure this will be fixed soon.

When I spoke to GP, they said they could see the activity and suggested I enroll. CSID requires that you submit a SSN at the time of enrollment. Great, a company I don't know is getting my SSN in a form online. I can't even enroll and provide it later.

I also had to ask CSID what their PW limits were since they were not provided on the signup page. 8-15 characters long, 1 uppercase, 1 lowercase, 1 number and special characters were allowed. Personally, 15 max is not high enough and a service designed to protect/safeguard you should go much higher. Hyatt allows passwords up to 35 characters long even though they don't permit special characters.

Does anyone have any information on CSID? Is this a good service or just another fly by night credit monitoring website that Hyatt is using because the big brands were more costly?

The federal Office of Personnel Management chose CSID as the monitoring service for those federal employees whose information was hacked. I signed up. CSID sends many email alerts saying some activity had been detected and I should login to review my file. Way more often than not, the report is incomprehensible to me. A few times, I called and asked what the report was trying to say; I got no meaningful response. Of course, it could be that I am not intelligent enough to use the service.

Following another federal data breach, OPM again offered some monitoring service. As far as I could tell, both it and CSID are children of the same parent company. The CSID sibling had typos on its web page and some other red flag that I do not recall. I did not register with the CSID sibling.

As far as I can tell, CSID is above-board but not fully competent. Again as far as I can tell, it hasn't hurt me to register with CSID, but it hasn't accomplished anything for me, either. I agree completely with the statement about passwords. CSID gives the appearance of being slapped together to take advantage of data breaches by charging the likes of OPM and Hyatt for services. I cannot imagine why anyone would pay his or her own money for the service it provides.

This is all my opinion, of course.

Let's form a one trillion point class action lawsuit.