Following an investigation launched after discovering malware on its payment processing systems, Hyatt Hotels has revealed the breach affected 250 hotels in more than 50 countries.
The Chicago-based hospitality company announced it identified signs of unauthorized access to payment card data from cards used at certain Hyatt-managed locations – primarily at restaurants – between August 13, 2015, and December 8, 2015.
Hyatt said a small percentage of the at-risk cards were used at spas, golf shops, parking, front desks, or were provided to a sales office during this time period.
The company noted a “limited” number of locations may have been affected as early as July 30, 2015.
“The malware was designed to collect payment card data – cardholder name, card number, expiration data and internal verification code – from cards used onsite as the data was being routed through affected payment processing systems,” explained Hyatt’s Global President of Operations Chuck Floyd in a letter to customers.
Floyd added the company has found no indication that other customer information was compromised.
The company published a list of all affected locations, with the majority being based in the United States, China and India. In the U.S. alone, nearly 100 hotels across 26 states were affected.
Other impacted locations included Hyatt hotels in Argentina, Australia, Brazil, Canada, France, Germany, Italy, Mexico, Philippines, Russia, Singapore, Thailand, the U.K. and more.
“For at-risk transactions where a cardholder’s name was affected, we are in the process of mailing letters to customers for whom we have a mailing address and sending emails to customers for whom we only have an email address,” Floyd said.
Hyatt says it was quick to engage with leading cyber security experts to resolve the issue and strengthen the security of its systems to help prevent future incidents.
Customers are urged to remain vigilant and review their payment card account statements closely, as well as reporting any unauthorized activity to their card issuers.
The company is offering those affected one year of free fraud protection services via CSID.
Hyatt joins a number of other hotels, including Starwood Hotels and Resorts, Hilton Hotels and the hotel chain owned by Donal Trump, that discovered malicious activity on their payment processing systems last year.