back to article Malware again checks into Hyatt's hotels, again checks out months later with victims' credit cards

Hyatt has provided the perfect excuse for folks trying to explain to bosses or spouses why a film they watched in their hotel room for just seven minutes appeared on their company or personal credit card. Its computer systems were earlier this year hacked by miscreants, who infected payment terminals with malware that siphoned …

  1. a_yank_lurker Silver badge

    Again?

    Didn't Hyatt have a breach a couple of years ago? Or was it some other hotel chain?

    1. Anonymous Coward
      Anonymous Coward

      Re: Again?

      Yes, that's what the article said...in the second-to-last paragraph...

      1. Mr Dogshit

        Re: Again?

        It's like groundhog day.

        1. Aqua Marina Silver badge

          Re: Again?

          You can say that again!

          1. Solarflare

            Re: Again?

            It's like groundhog day.

            1. Destroy All Monsters Silver badge

              Re: Again?

              Hack it again, Sam!

  2. Notas Badoff

    On-target messaging?

    "Protecting customer information is critically important to Hyatt, and we take the security of customer data very seriously,"

    I read that and realize, there are no commitments or promises in that statement. And that is their message, right?

    1. regadpellagru

      Re: On-target messaging?

      ""Protecting customer information is critically important to Hyatt, and we take the security of customer data very seriously,"

      I read that and realize, there are no commitments or promises in that statement. And that is their message, right?"

      Where have you been in the last 5 years ? This is the usual blanket statement every company (IOT, router, hotels, what not) has been using at every security blunder that costed money to their customers.

      And it's just here to hide the fact they don't get a fuck and won't spend a penny on it, even reusing previous web pages. Therefore no commitment. Sounds logical to me.

    2. John Brown (no body) Silver badge
      Thumb Up

      Re: On-target messaging?

      "Protecting customer information is critically important to Hyatt, and we take the security of customer data very seriously,"

      I read that and realize, there are no commitments or promises in that statement. And that is their message, right?

      Considering that that is almost word for word what they said after the last breach, what do you think?

  3. redpawn Silver badge

    We at Hyatt take your ______ seriously.

    a. comfort

    b. credit

    c. private information

    d. contribution to our profits

  4. Nolveys Silver badge

    even reusing the website hyatt.com/notice/protectingourcustomers from that security breach for this latest cockup.

    Did they at least have the turn down service give it a once over?

  5. tfewster Silver badge
    Facepalm

    internal verification code

    ...cardholder name, card number, expiration date and internal verification code...

    The "internal verification code" wouldn't be the CVV/CV2 that must never, ever, on pain of immediate revocation of card handling facilities, be stored, would it?

    Payment Card Industry - Time to make an example of a serial offender, by revoking their privileges as per the contract they have with you. Or is the % they pay you worth more than the cost to you and cardholders?

    1. Anonymous Coward
      Anonymous Coward

      Re: internal verification code

      Or is the % they pay you worth more than the cost to you and cardholders?

      PCI Security Standards Council set the rules, but is anybody responsible for the retroactive enforcement of PCI DSS? And have that body ever barred a major corporation?

      Realistically, although the industry should issue Hyatt with a ban, I don't believe they've got the will to do that. Even if they did, it would be tantamount to putting Hyatt out of business if the ban were for more than a few weeks, and I'm sure the owners and managers of Hyatt would be shielded by the US authorities stopping such a move.

      For all the brave words, I can't think of any jurisdiction that takes data security seriously. Even the likely scale of GDPR fines will be trivial compared to the typical clean up costs of a data breach, so the new rules are concentrating minds briefly, but come next May, I'm not sure we'll see any slowdown in reported breaches.

  6. Bob Dole (tm)
    Mushroom

    I stayed at a Hyatt a few weeks ago. The phone numbers for the rewards members listed on the back of the cards were turned off. The login on the website went to a web server error page.

    Once I finally found a customer service phone number and got someone on the phone the line disconnected after I had read 4 digits of my cc number. It took another 3 calls due to disconnects finally get the reservation confirmed.

    The only reason I persisted is because I have a fair number of free nights built up and the wife was insistent I use them.

    Whoever is in charge of their IT and telephony should be fired. Actually, don’t stop there. Just fire the whole damn department and start over. Any “institutional knowledge” lost from that would be a good thing.

  7. Anonymous Coward
    Anonymous Coward

    Chuck Floyd?

    Chuck Hyatt methinks.

  8. thomas k

    Hilton, too?

    Just a matter of time.

    1. Richard Rae
      Paris Hilton

      Re: Hilton, too?

      Hasn't that already happened?

      1. thomas k

        Re: Hilton, too?

        Yes, but I meant with this new thing.

  9. Anonymous Coward
    Anonymous Coward

    At least your credit rating is no longer a worry..

    .. since you now blame that on Equifax being hacked.

    Basically, you now really have to start using one stupidity to offset the other, because avoiding it seems impossible.

    1. Destroy All Monsters Silver badge

      Re: At least your credit rating is no longer a worry..

      Unfortunately, bringing two stupidities together just results in greater stupidity, it's like a gravity in that regard. Anonymous sources confirm that researches looking into Dark Matter actually hypothesize that it is probably leftover stupidity from civilizations long since extinct.

      1. John Brown (no body) Silver badge

        Re: At least your credit rating is no longer a worry..

        "Unfortunately, bringing two stupidities together just results in greater stupidity, "

        Yeah, it results in a stupidity greater than the sum of it's parts. I wonder if we've reached critical mass yet? It's hard to tell as it seems to be a very slow, yet unstoppable, reaction.

        1. Anonymous Coward
          Anonymous Coward

          Re: At least your credit rating is no longer a worry..

          I wonder if we've reached critical mass yet?

          I don't know yet, but I know there's a DPA request outstanding with HSBC that may accidentally yield the answer..

  10. adam payne Silver badge

    "Protecting customer information is critically important to Hyatt, and we take the security of customer data very seriously," he said.

    So seriously you get hit twice.

  11. Aodhhan Bronze badge

    Who was the PCI auditor?

    What company did Hyatt's PCI audit? Obviously the auditor was lazy or ignorant... or perhaps Hyatt lied about data protection measures. Don't rule out both being the case.

    Having the CVV number is against PCI standards,

    Requirement 3.2 - Storing sensitive authentication data after authorization. You can only do so if there is a business justification (not likely in this case) and if it is stored securely. Obviously this wasn't met.

    Requirement 3.2.2 specifically states not to store CVV information after authorization.

    Then there is Requirement 3.4 which goes into PAN data security and the use of STRONG encryption. Again, this obviously wasn't the case.

    Requirements 3.5 and 3.6 goes into documenting procedures for key management. Here is where the PCI auditor should have caught the problem.

    So when it comes down to it. Requirement 3.x in general was not implemented, nor was it properly audited.

    The information security community deserves to know who the PCI auditor is who last signed off on internal safe keeping of customer data.

  12. MachDiamond Silver badge

    Tactic

    Motel 6

    Travelodge

    BnB (not AirBnb)

    cash

    false signature

    I rarely stay at fancy hotel. All I need is a quiet comfortable room with a shower (I'll even share plumbing at a private BnB) Wi-Fi and I'm set. I don't hang out in hotel rooms. If I'm away from home, I'm off doing something if I'm not sleeping. I've been using cash to pay for rooms over the last several years after I had a debit card get highjacked while I was on a business trip. A couple of colleagues were able to loan me a few so I could get by until we got back. The bank would only send a replacement card to my home address and it took a couple of weeks to get my balance back even though they caught the fraud right away. Now I pay cash and only use a card as the security if I must. Same goes for petrol. I might use my card, but I keep enough dosh on hand to at least get home even if I have to do it on an empty stomach.

    1. Anonymous Coward
      Anonymous Coward

      Re: Tactic

      Lord Lucan!

      I claim my reward!!

  13. Chairman of the Bored Silver badge

    Missing something here

    Thought the whole purpose of such movies is that you dont have to slide your card into a third party...

  14. Walter Bishop Silver badge
    Facepalm

    Article totally devoid of details

    Any idea as to the nature of the Operating System Platform Hyatt runs on?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019