On December 23, Chicago-based Hyatt Hotels Corp., announced it recently discovered malware on its payment processing systems at locations managed by Hyatt. In a statement, Hyatt said it has hired a security firm to help investigate the breach and that the investigation is ongoing.
Hyatt also said it has taken steps to improve the security of its systems, and while the investigation is ongoing, Hyatt said it considers its systems safe for customers to use credit cards now. But the company advised customers that they “should review their payment card account statements closely and report any unauthorized charges to their card issuer immediately. Payment card rules generally provide that cardholders are not responsible for unauthorized charges that are timely reported.”
Hyatt did not state a timeframe for when the company believed systems were breached, nor did they share how many customers may have been affected. Hyatt said it will provide updates at www.hyatt.com/protectingourcustomers.
Hyatt is the most recent in a handful of hotel and hospitality companies to have been compromised, including Hilton, Mandarin Oriental and Starwood.
Wyndham Hotels and Resorts faced FTC penalties for the lawsuit the company settled from data breaches going back to 2008 and 2009 that resulted in the credit card information of nearly 620,000 customers and more than $10 million in fraudulent credit card transactions targeting those cards. While Wyndham avoided having to pay a fine, it’s going to have to answer to the FTC, for some time to come, regarding its cybersecurity efforts.
According to this press release, under the terms of the settlement, “Wyndham will establish a comprehensive information security program designed to protect cardholder data – including payment card numbers, names and expiration dates. In addition, the company is required to conduct annual information security audits and maintain safeguards in connections to its franchisees’ servers.”
“This settlement marks the end of a significant case in the FTC’s efforts to protect consumers from the harm caused by unreasonable data security,” said FTC Chairwoman Edith Ramirez in the release. “Not only will it provide important protection to consumers, but the court rulings in the case have affirmed the vital role the FTC plays in this important area,” Ramirez said.
Wyndham will also have to undergo annual security audits of its information security program and the benchmark will be the Payment Card Industry Data Security Standard.
According to the FTC’s statement, Wyndham’s audit must also:
- Certify the “untrusted” status of franchisee networks to prevent future hackers from using the same method used in the company’s prior breaches;
- Certify the extent of compliance with a formal risk assessment process that will analyze the possible data security risks faced by the company;
- Certify that the auditor is qualified, independent and free from conflicts of interest.