Payment Card Incident Investigation Complete
Jan 14, 2016, 12:15 pm
#1
No longer used by Hyatt; use World of Hyatt Concierge
Original Poster
Join Date: Jul 1999
Posts: 1,628
Payment Card Incident Investigation Complete
Dear FlyerTalkers,
As you know, we have been working tirelessly to complete our previously announced investigation regarding malware that targeted payment card data used at Hyatt-managed locations. Protecting customer information is critically important to Hyatt, and we now have more complete information we want to share so that you can take steps to protect yourself.
The investigation identified signs of unauthorized access to payment card data from cards used onsite at certain Hyatt-managed locations, primarily at restaurants, between August 13, 2015 and December 8, 2015. A small percentage of the at-risk cards were used at spas, golf shops, parking, and a limited number of front desks, or provided to a sales office during this time period. The at-risk window for a limited number of locations began on or shortly after July 30, 2015.
The malware was designed to collect payment card data – cardholder name, card number, expiration date and internal verification code – from cards used onsite as the data was being routed through affected payment processing systems. There is no indication that other customer information was affected.
Details, including the list of affected Hyatt locations and respective at-risk dates, are available at www.hyatt.com/protectingourcustomers.
Please be assured that the issue has been resolved, the security of our systems has been strengthened, and – as previously shared – you can confidently use payment cards at Hyatt hotels worldwide.
Customers should review their payment card account statements closely and report any unauthorized charges to their card issuer immediately. Additionally, Hyatt has arranged for CSID to provide one year of CSID’s Protector services to affected customers at no cost to them.
If you have questions or would like more information, please call 1-877-218-3036 (U.S. and Canada) or +1-814-201-3665 (International) from 7 a.m. to 9 p.m. EST.
We deeply regret the inconvenience and any concern this may have caused you, and we thank you for your continuing support of Hyatt.
Sincerely,
Chuck Floyd
Global President of Operations
As you know, we have been working tirelessly to complete our previously announced investigation regarding malware that targeted payment card data used at Hyatt-managed locations. Protecting customer information is critically important to Hyatt, and we now have more complete information we want to share so that you can take steps to protect yourself.
The investigation identified signs of unauthorized access to payment card data from cards used onsite at certain Hyatt-managed locations, primarily at restaurants, between August 13, 2015 and December 8, 2015. A small percentage of the at-risk cards were used at spas, golf shops, parking, and a limited number of front desks, or provided to a sales office during this time period. The at-risk window for a limited number of locations began on or shortly after July 30, 2015.
The malware was designed to collect payment card data – cardholder name, card number, expiration date and internal verification code – from cards used onsite as the data was being routed through affected payment processing systems. There is no indication that other customer information was affected.
Details, including the list of affected Hyatt locations and respective at-risk dates, are available at www.hyatt.com/protectingourcustomers.
Please be assured that the issue has been resolved, the security of our systems has been strengthened, and – as previously shared – you can confidently use payment cards at Hyatt hotels worldwide.
Customers should review their payment card account statements closely and report any unauthorized charges to their card issuer immediately. Additionally, Hyatt has arranged for CSID to provide one year of CSID’s Protector services to affected customers at no cost to them.
If you have questions or would like more information, please call 1-877-218-3036 (U.S. and Canada) or +1-814-201-3665 (International) from 7 a.m. to 9 p.m. EST.
We deeply regret the inconvenience and any concern this may have caused you, and we thank you for your continuing support of Hyatt.
Sincerely,
Chuck Floyd
Global President of Operations
Jan 15, 2016, 8:25 am
#4
Moderator: GLBT Travelers & Hyatt Gold Passport
Join Date: Jan 2000
Location: CVG
Posts: 15,300
Hotel list seem to indicate that most domestic full service properties were affected (not all) and no domestic Hyatt Place or Hyatt house properties were affected.
Edit: this announcement comes pretty late with the issue being brought up on 12/23 in a thread that I just locked for housekeeping purposes so we don't have 2 threads running discussing the same issue.
Edit: this announcement comes pretty late with the issue being brought up on 12/23 in a thread that I just locked for housekeeping purposes so we don't have 2 threads running discussing the same issue.
Last edited by peteropny; Jan 15, 2016 at 9:16 am
Jan 15, 2016, 9:37 am
#5
Join Date: Sep 2008
Programs: American AAdvantage
Posts: 1,045
I was under the false impression that I could confidently use my payment card during my stay at a Hyatt hotel back in mid-October of last year.
Jan 15, 2016, 3:56 pm
#6
FlyerTalk Evangelist
Join Date: Jul 2011
Programs: Hyatt Discoverist, SEIBU PRINCE CLUB Silver, Marriott Gold
Posts: 20,434
You can always confidently use your credit card...provided that none of the hundreds of people and systems that you show it to throughout the course of a year decide to make off with the information.
Jan 15, 2016, 5:40 pm
#7
A FlyerTalk Posting Legend
Join Date: Sep 2009
Location: Minneapolis: DL DM charter 2.3MM
Programs: A3*Gold, SPG Plat, HyattDiamond, MarriottPP, LHW exAccess, ICI, Raffles Amb, NW PE MM, TWA Gold MM
Posts: 100,404
It would be good if the hotels (and dates) on the list where one needs to worry about having used a credit card at the front desk were listed separately.
Jan 15, 2016, 7:46 pm
#8
Join Date: Sep 2015
Location: flyover country
Posts: 2,435
Yes, hotels where the front desk was compromised should be flagged somehow. A separate list would be good, but an indicator of some sort is completely appropriate. This omission indicates that Hyatt is not thinking of this from a customer's point of view.
Jan 15, 2016, 8:28 pm
#9
A FlyerTalk Posting Legend
Join Date: Apr 2004
Location: GVA (Greater Vancouver Area)
Programs: DREAD Gold; UA 1.035MM; Bonvoy Au-197; PCC Elite+; CCC Elite+; MSC C-12; CWC Au-197; WoH Dis
Posts: 52,139
Jan 16, 2016, 2:38 am
#12
FlyerTalk Evangelist
Join Date: Jul 2011
Programs: Hyatt Discoverist, SEIBU PRINCE CLUB Silver, Marriott Gold
Posts: 20,434
Contacted the Park Hyatt Tokyo directly, as I believed that they might have more specific information about what was affected at their own hotel, but they brusquely directed me back to the above Hyatt contact. Thought they would be a little more sensitive towards customers that they might have gravely inconvenienced. 
Jan 16, 2016, 7:30 am
#13
Join Date: Nov 2005
Posts: 42
So of course I went to my online GP activity only to see that GP is having a technical problem reproducing the list of stays during the time period to cross match with the list of hotels effected. I'm sure this will be fixed soon.
When I spoke to GP, they said they could see the activity and suggested I enroll. CSID requires that you submit a SSN at the time of enrollment. Great, a company I don't know is getting my SSN in a form online. I can't even enroll and provide it later.
I also had to ask CSID what their PW limits were since they were not provided on the signup page. 8-15 characters long, 1 uppercase, 1 lowercase, 1 number and special characters were allowed. Personally, 15 max is not high enough and a service designed to protect/safeguard you should go much higher. Hyatt allows passwords up to 35 characters long even though they don't permit special characters.
Does anyone have any information on CSID? Is this a good service or just another fly by night credit monitoring website that Hyatt is using because the big brands were more costly?
When I spoke to GP, they said they could see the activity and suggested I enroll. CSID requires that you submit a SSN at the time of enrollment. Great, a company I don't know is getting my SSN in a form online. I can't even enroll and provide it later.
I also had to ask CSID what their PW limits were since they were not provided on the signup page. 8-15 characters long, 1 uppercase, 1 lowercase, 1 number and special characters were allowed. Personally, 15 max is not high enough and a service designed to protect/safeguard you should go much higher. Hyatt allows passwords up to 35 characters long even though they don't permit special characters.
Does anyone have any information on CSID? Is this a good service or just another fly by night credit monitoring website that Hyatt is using because the big brands were more costly?
Jan 16, 2016, 3:15 pm
#14
Join Date: Sep 2015
Location: flyover country
Posts: 2,435
The federal Office of Personnel Management chose CSID as the monitoring service for those federal employees whose information was hacked. I signed up. CSID sends many email alerts saying some activity had been detected and I should login to review my file. Way more often than not, the report is incomprehensible to me. A few times, I called and asked what the report was trying to say; I got no meaningful response. Of course, it could be that I am not intelligent enough to use the service.
Following another federal data breach, OPM again offered some monitoring service. As far as I could tell, both it and CSID are children of the same parent company. The CSID sibling had typos on its web page and some other red flag that I do not recall. I did not register with the CSID sibling.
As far as I can tell, CSID is above-board but not fully competent. Again as far as I can tell, it hasn't hurt me to register with CSID, but it hasn't accomplished anything for me, either. I agree completely with the statement about passwords. CSID gives the appearance of being slapped together to take advantage of data breaches by charging the likes of OPM and Hyatt for services. I cannot imagine why anyone would pay his or her own money for the service it provides.
This is all my opinion, of course.
Following another federal data breach, OPM again offered some monitoring service. As far as I could tell, both it and CSID are children of the same parent company. The CSID sibling had typos on its web page and some other red flag that I do not recall. I did not register with the CSID sibling.
As far as I can tell, CSID is above-board but not fully competent. Again as far as I can tell, it hasn't hurt me to register with CSID, but it hasn't accomplished anything for me, either. I agree completely with the statement about passwords. CSID gives the appearance of being slapped together to take advantage of data breaches by charging the likes of OPM and Hyatt for services. I cannot imagine why anyone would pay his or her own money for the service it provides.
This is all my opinion, of course.