back to article Malware again checks into Hyatt's hotels, again checks out months later with victims' credit cards

Hyatt has provided the perfect excuse for folks trying to explain to bosses or spouses why a film they watched in their hotel room for just seven minutes appeared on their company or personal credit card. Its computer systems were earlier this year hacked by miscreants, who infected payment terminals with malware that siphoned …

Silver badge

Again?

Didn't Hyatt have a breach a couple of years ago? Or was it some other hotel chain?

2
4
Anonymous Coward

Re: Again?

Yes, that's what the article said...in the second-to-last paragraph...

9
1
Bronze badge

Re: Again?

It's like groundhog day.

4
0

Re: Again?

You can say that again!

2
0

Re: Again?

It's like groundhog day.

4
0
Silver badge

Re: Again?

Hack it again, Sam!

1
0
Silver badge

On-target messaging?

"Protecting customer information is critically important to Hyatt, and we take the security of customer data very seriously,"

I read that and realize, there are no commitments or promises in that statement. And that is their message, right?

11
0

Re: On-target messaging?

""Protecting customer information is critically important to Hyatt, and we take the security of customer data very seriously,"

I read that and realize, there are no commitments or promises in that statement. And that is their message, right?"

Where have you been in the last 5 years ? This is the usual blanket statement every company (IOT, router, hotels, what not) has been using at every security blunder that costed money to their customers.

And it's just here to hide the fact they don't get a fuck and won't spend a penny on it, even reusing previous web pages. Therefore no commitment. Sounds logical to me.

5
0
Silver badge
Thumb Up

Re: On-target messaging?

"Protecting customer information is critically important to Hyatt, and we take the security of customer data very seriously,"

I read that and realize, there are no commitments or promises in that statement. And that is their message, right?

Considering that that is almost word for word what they said after the last breach, what do you think?

0
0
Silver badge

We at Hyatt take your ______ seriously.

a. comfort

b. credit

c. private information

d. contribution to our profits

10
0
Silver badge

even reusing the website hyatt.com/notice/protectingourcustomers from that security breach for this latest cockup.

Did they at least have the turn down service give it a once over?

4
0
Silver badge
Facepalm

internal verification code

...cardholder name, card number, expiration date and internal verification code...

The "internal verification code" wouldn't be the CVV/CV2 that must never, ever, on pain of immediate revocation of card handling facilities, be stored, would it?

Payment Card Industry - Time to make an example of a serial offender, by revoking their privileges as per the contract they have with you. Or is the % they pay you worth more than the cost to you and cardholders?

11
0
Silver badge

Re: internal verification code

Or is the % they pay you worth more than the cost to you and cardholders?

PCI Security Standards Council set the rules, but is anybody responsible for the retroactive enforcement of PCI DSS? And have that body ever barred a major corporation?

Realistically, although the industry should issue Hyatt with a ban, I don't believe they've got the will to do that. Even if they did, it would be tantamount to putting Hyatt out of business if the ban were for more than a few weeks, and I'm sure the owners and managers of Hyatt would be shielded by the US authorities stopping such a move.

For all the brave words, I can't think of any jurisdiction that takes data security seriously. Even the likely scale of GDPR fines will be trivial compared to the typical clean up costs of a data breach, so the new rules are concentrating minds briefly, but come next May, I'm not sure we'll see any slowdown in reported breaches.

2
0
Mushroom

I stayed at a Hyatt a few weeks ago. The phone numbers for the rewards members listed on the back of the cards were turned off. The login on the website went to a web server error page.

Once I finally found a customer service phone number and got someone on the phone the line disconnected after I had read 4 digits of my cc number. It took another 3 calls due to disconnects finally get the reservation confirmed.

The only reason I persisted is because I have a fair number of free nights built up and the wife was insistent I use them.

Whoever is in charge of their IT and telephony should be fired. Actually, don’t stop there. Just fire the whole damn department and start over. Any “institutional knowledge” lost from that would be a good thing.

6
0
Anonymous Coward

Chuck Floyd?

Chuck Hyatt methinks.

0
0

Hilton, too?

Just a matter of time.

1
0
Paris Hilton

Re: Hilton, too?

Hasn't that already happened?

2
0

Re: Hilton, too?

Yes, but I meant with this new thing.

0
0
Anonymous Coward

At least your credit rating is no longer a worry..

.. since you now blame that on Equifax being hacked.

Basically, you now really have to start using one stupidity to offset the other, because avoiding it seems impossible.

1
0
Silver badge

Re: At least your credit rating is no longer a worry..

Unfortunately, bringing two stupidities together just results in greater stupidity, it's like a gravity in that regard. Anonymous sources confirm that researches looking into Dark Matter actually hypothesize that it is probably leftover stupidity from civilizations long since extinct.

2
0
Silver badge

Re: At least your credit rating is no longer a worry..

"Unfortunately, bringing two stupidities together just results in greater stupidity, "

Yeah, it results in a stupidity greater than the sum of it's parts. I wonder if we've reached critical mass yet? It's hard to tell as it seems to be a very slow, yet unstoppable, reaction.

1
0
Anonymous Coward

Re: At least your credit rating is no longer a worry..

I wonder if we've reached critical mass yet?

I don't know yet, but I know there's a DPA request outstanding with HSBC that may accidentally yield the answer..

0
0
Silver badge

"Protecting customer information is critically important to Hyatt, and we take the security of customer data very seriously," he said.

So seriously you get hit twice.

0
0
Bronze badge

Who was the PCI auditor?

What company did Hyatt's PCI audit? Obviously the auditor was lazy or ignorant... or perhaps Hyatt lied about data protection measures. Don't rule out both being the case.

Having the CVV number is against PCI standards,

Requirement 3.2 - Storing sensitive authentication data after authorization. You can only do so if there is a business justification (not likely in this case) and if it is stored securely. Obviously this wasn't met.

Requirement 3.2.2 specifically states not to store CVV information after authorization.

Then there is Requirement 3.4 which goes into PAN data security and the use of STRONG encryption. Again, this obviously wasn't the case.

Requirements 3.5 and 3.6 goes into documenting procedures for key management. Here is where the PCI auditor should have caught the problem.

So when it comes down to it. Requirement 3.x in general was not implemented, nor was it properly audited.

The information security community deserves to know who the PCI auditor is who last signed off on internal safe keeping of customer data.

0
0
Bronze badge

Tactic

Motel 6

Travelodge

BnB (not AirBnb)

cash

false signature

I rarely stay at fancy hotel. All I need is a quiet comfortable room with a shower (I'll even share plumbing at a private BnB) Wi-Fi and I'm set. I don't hang out in hotel rooms. If I'm away from home, I'm off doing something if I'm not sleeping. I've been using cash to pay for rooms over the last several years after I had a debit card get highjacked while I was on a business trip. A couple of colleagues were able to loan me a few so I could get by until we got back. The bank would only send a replacement card to my home address and it took a couple of weeks to get my balance back even though they caught the fraud right away. Now I pay cash and only use a card as the security if I must. Same goes for petrol. I might use my card, but I keep enough dosh on hand to at least get home even if I have to do it on an empty stomach.

0
0
Anonymous Coward

Re: Tactic

Lord Lucan!

I claim my reward!!

0
0

Missing something here

Thought the whole purpose of such movies is that you dont have to slide your card into a third party...

0
0
Silver badge
Facepalm

Article totally devoid of details

Any idea as to the nature of the Operating System Platform Hyatt runs on?

0
1

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017