Cyber Incident Victim: Hyatt Hotels Corporation
Date:
Mar 2017
Location:
United States of America
Summary
A hospitality company experienced unauthorized access to payment card data at 41 managed properties across 11 countries, predominantly affecting 18 locations in China and seven in U.S. territories including Hawaii, Puerto Rico, and Guam. The breach compromised manually entered or swiped card details—names, numbers, expiration dates, and verification codes—from front desk transactions. The organization's cybersecurity team identified signs of the intrusion and concluded an investigation that addressed the issue while implementing preventive measures. This incident followed a prior compromise of payment systems impacting hundreds of hotels globally.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Hyatt Hotels Corp disclosed unauthorized access to payment card information at 41 managed properties across 11 countries between March 18, 2017, and July 2, 2017. The breach impacted cardholder names, card numbers, expiration dates, and internal verification codes from payment cards manually entered or swiped at front desks of affected locations. China accounted for the highest concentration of impacted properties with 18 sites, while seven U.S. locations were compromised—including three in Hawaii, three in Puerto Rico, and one in Guam. The company's cybersecurity team first detected signs of unauthorized access in July 2017, prompting an internal investigation that concluded on October 12, 2017. Hyatt stated the investigation resolved the security issue and implemented preventive measures against future incidents.
This marked Hyatt's second significant payment card breach within two years, following a late-2015 malware infection that compromised payment systems across approximately 250 hotels in 50 countries. The 2017 incident exclusively targeted front desk payment processing systems where cards were physically handled by staff. No evidence suggested the breach extended to cards used via Hyatt's online reservation platforms. Upon concluding its investigation, the company notified affected customers and reinforced security protocols across its properties. The breach window spanned nearly four months before detection, exposing payment card data during transactions processed at front desks of select Hyatt-managed locations worldwide.