Digital Life

Hyatt credit card breach affected 250 hotels worldwide

If you stayed, ate or played at a Hyatt hotel between August 13 and December 8, 2015, there's a good chance your credit or debit card data was stolen by unknown cyber thieves who infiltrated many of the hotel chain's payment systems. In its first disclosure about the scope of a breach acknowledged last month, Hyatt Hotels Corp. says the intrusion likely affected guests at 250 hotels in roughly 50 countries.

In its new statement, Hyatt said the majority of the payment systems compromised by card-stealing malware were at restaurants within the hotels, and that a "small percentage of the at-risk cards were used at spas, golf shops, parking and a limited number of front desks." The list of affected hotels — which includes those in Melbourne, Sydney, Perth and Canberra — is here.

The Grand Hyatt Melbourne was one of 250 hotels worldwide affected by the breach
The Grand Hyatt Melbourne was one of 250 hotels worldwide affected by the breach Photo: Peter Braig

US-based Hyatt joins a crowded list of other hotel chains similarly breached in the past year, including HiltonStarwoodMandarin Oriental,White Lodging (twice) and the Trump Collection.

While breaches like this affect cardholders all over the world, most of the fraudulent transactions will be instituted in the US. This is thanks to an institutional lag in switching over from stripe-based credit and debit cards to chip-based in the US, which means manufacturing and using fraudulent cards from stolen data in the nation continues to be child's play.

US banks have been transitioning for some time to chip-based cards, and a greater number of US retailers are installing checkout systems that can read customer card data off the chip. The chip encrypts the card data and makes it much more difficult and expensive for thieves to counterfeit cards.

However, most of these chip cards will still hold customer data in plain text on the card's magnetic stripe, and the many US merchants that continue to allow customers to swipe the stripe or who do not have chip card readers in place face shouldering all of the liability for any transactions later determined to be fraudulent.

The United States is the last of the G20 nations to enact this liability shift, and many countries that have transitioned to chip card technology have done so through government fiat. Those nations also almost uniformly have seen card counterfeiting fraud go way down while thieves shift their attention to targeting e-commerce providers.

Although cyber thieves still steal card data off the magnetic stripe from customers of banks in nations that long ago shifted to chip-cards — including Australia — that card data is typically shipped to thieves in the United States, who can counterfeit the cards and use them to steal merchandise from US-based big box retailers.

As chip card adoption picks up in the States and counterfeiting cards becomes more expensive for cyber thieves, we will start to hear about far fewer of these retail breaches. E-commerce providers will no doubt feel the brunt of this shift because the thieves don't just go away when you make things harder on them — they  go where there are more plentiful victims and fewer up-front costs. And for cybercrooks, there is a great deal of low-hanging fruit in the e-commerce sector (and there are plenty new businesses coming online for the first time every day).

There is another big shift in fraud that's coming but that is probably not getting enough attention from the banks, retailers and e-commerce providers: It's a safe bet that we can also expect a giant spike in account takeovers and in new account fraud. Both forms of fraud are closely linked to static consumer identity data (DOB, etc.) that is widely available in the cybercrime underground. Banks and retailers alike have a lot of work ahead of them to improve the reliability and scalability of systems for authenticating and really knowing their customers.

Instead, many financial institutions have squandered a great deal of their resources trying to figure out which retailers are exposing their customers' cards. That's because Visa, MasterCard and the other card associations won't tell banks which retailers have been hit; they just send them incessant updates about specific card numbers that were suspected to have been compromised in a breach somewhere. It's then up to the banks to work backwards from the breached cards and triangulate which merchants show up most frequently in a batch of given cards.

All of this probably explains why on any given week I'm contacted by anti-fraud personnel at various banks across the country, asking if I can help them divine the source of some card fraud pain they're experiencing. As a journalist, this is a bit of a surreal situation, but I can't complain much: It has allowed this author to break story after story about card breaches in the retail sector over the past two years.

KrebsOnSecurity

​Follow Digital Life on Twitter