Cyber Incident Victim: Hyatt Hotels Corporation
Date:
Mar 2015
Location:
United States of America
Summary
A cybersecurity incident involving HEI Hotels & Resorts impacted multiple properties operated for several hospitality brands, including Hyatt Hotels Corporation. Malware infiltrated payment systems at restaurants, bars, spas, and retail facilities across 20 U.S. locations, potentially compromising customer names, payment card numbers, expiration dates, and verification codes. The malicious software targeted transactions over an extended period, though PIN data remained unaffected as it was not collected by the systems. HEI engaged external experts to investigate the breach, notified federal authorities, and implemented an isolated payment processing system to mitigate future risks. The incident affected numerous branded properties under HEI's management, with transaction volumes varying significantly across individual hotels.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The malware incident affecting HEI Hotels & Resorts-operated properties, including one Hyatt location, was publicly disclosed on August 15, 2016. HEI detected malicious software designed to harvest payment card information on their systems during early to mid-June 2016. Forensic investigation determined the malware had been active across 20 U.S. hotel properties since March 1, 2015, with continued operation through June 21, 2016. Fourteen of the impacted hotels experienced compromise after December 2, 2015. The malware specifically targeted point-of-sale systems handling food, beverage, spa, and retail transactions at hotel facilities, excluding reservation systems.
Compromised data included customer names, payment card account numbers, expiration dates, and card verification codes, though PIN information remained secure as HEI's systems did not collect it. The Hyatt Centric Santa Barbara location recorded approximately 8,000 potentially affected transactions during the breach period. HEI engaged external cybersecurity experts to investigate the intrusion and notified federal law enforcement authorities. Remediation efforts included deployment of an isolated payment processing system segregated from other network components. Among the impacted properties were Starwood-branded hotels across 12 locations and Marriott International facilities in five cities, alongside the single Hyatt and InterContinental Hotels Group properties. Transaction volume analysis indicated substantial exposure at specific locations, such as 12,800 transactions at the Tampa InterContinental.