Hyatt Reports Credit Card Breach

Hyatt Hotels Corp. has notified its customers of a payment card breach that occurred at a number of its hotels between March 18 and July 2.

The breach, Hyatt wrote in a letter on Thursday, impacts card numbers manually entered or swiped at the front desks of certain hotels. For past hotel company breaches, point-of-sale systems at gift shops, spas and restaurants were the main targets. On its website, Hyatt names 41 affected hotels across 13 countries.

This is the second major payment card breach reported by Hyatt in two years. The company disclosed the previous one in late December 2015. It affected guest cards used at 250 hotels across about 50 countries. That same year saw other major hoteliers impacted by payment card breaches and malware attacks, including Hilton, Starwood Hotels & Resorts, Trump Hotels and White Lodging Hotel Service Corp. This year, InterContinental Hotels Group reported that a previously disclosed 2016 was worse than first thought; it potentially compromised payment card information at more than 1,100 IHG hotels. In May, Sabre disclosed a massive breach of its hotel reservations system.

The information gleaned in the most recent Hyatt attack included cardholder names, card numbers, security codes and expiration dates. The Hyatt letter, signed by global president of operations Chuck Floyd and forwarded to BTN, said no other guest information held on the company's IT systems was compromised. "As a result of measures we have taken to prevent this from happening in the future, guests can feel confident using payment cards at Hyatt hotels worldwide," the letter stated.

While the rash of breaches in 2016 and earlier prove breaches are not new, recent hacks of massive institutions—including Equifax, Yahoo, Deloitte and the SEC—are putting new pressure on corporate governing bodies and federal legislatures to improve security and to enact harsher penalties for failure to protect customer data. In July, the California-based Wilshire Law Firm filed a proposed class-action lawsuit in a federal district court against Sabre Corp. for the eight-month-long data breach of its Synxis Central Reservation System. Neither the firm nor Sabre have provided updates on the suit.