Didn't Hyatt have a breach a couple of years ago? Or was it some other hotel chain?
Hyatt has provided the perfect excuse for folks trying to explain to bosses or spouses why a film they watched in their hotel room for just seven minutes appeared on their company or personal credit card. Its computer systems were earlier this year hacked by miscreants, who infected payment terminals with malware that siphoned …
""Protecting customer information is critically important to Hyatt, and we take the security of customer data very seriously,"
I read that and realize, there are no commitments or promises in that statement. And that is their message, right?"
Where have you been in the last 5 years ? This is the usual blanket statement every company (IOT, router, hotels, what not) has been using at every security blunder that costed money to their customers.
And it's just here to hide the fact they don't get a fuck and won't spend a penny on it, even reusing previous web pages. Therefore no commitment. Sounds logical to me.
"Protecting customer information is critically important to Hyatt, and we take the security of customer data very seriously,"
I read that and realize, there are no commitments or promises in that statement. And that is their message, right?
Considering that that is almost word for word what they said after the last breach, what do you think?
...cardholder name, card number, expiration date and internal verification code...
The "internal verification code" wouldn't be the CVV/CV2 that must never, ever, on pain of immediate revocation of card handling facilities, be stored, would it?
Payment Card Industry - Time to make an example of a serial offender, by revoking their privileges as per the contract they have with you. Or is the % they pay you worth more than the cost to you and cardholders?
Or is the % they pay you worth more than the cost to you and cardholders?
PCI Security Standards Council set the rules, but is anybody responsible for the retroactive enforcement of PCI DSS? And have that body ever barred a major corporation?
Realistically, although the industry should issue Hyatt with a ban, I don't believe they've got the will to do that. Even if they did, it would be tantamount to putting Hyatt out of business if the ban were for more than a few weeks, and I'm sure the owners and managers of Hyatt would be shielded by the US authorities stopping such a move.
For all the brave words, I can't think of any jurisdiction that takes data security seriously. Even the likely scale of GDPR fines will be trivial compared to the typical clean up costs of a data breach, so the new rules are concentrating minds briefly, but come next May, I'm not sure we'll see any slowdown in reported breaches.
I stayed at a Hyatt a few weeks ago. The phone numbers for the rewards members listed on the back of the cards were turned off. The login on the website went to a web server error page.
Once I finally found a customer service phone number and got someone on the phone the line disconnected after I had read 4 digits of my cc number. It took another 3 calls due to disconnects finally get the reservation confirmed.
The only reason I persisted is because I have a fair number of free nights built up and the wife was insistent I use them.
Whoever is in charge of their IT and telephony should be fired. Actually, don’t stop there. Just fire the whole damn department and start over. Any “institutional knowledge” lost from that would be a good thing.
Unfortunately, bringing two stupidities together just results in greater stupidity, it's like a gravity in that regard. Anonymous sources confirm that researches looking into Dark Matter actually hypothesize that it is probably leftover stupidity from civilizations long since extinct.
"Unfortunately, bringing two stupidities together just results in greater stupidity, "
Yeah, it results in a stupidity greater than the sum of it's parts. I wonder if we've reached critical mass yet? It's hard to tell as it seems to be a very slow, yet unstoppable, reaction.
What company did Hyatt's PCI audit? Obviously the auditor was lazy or ignorant... or perhaps Hyatt lied about data protection measures. Don't rule out both being the case.
Having the CVV number is against PCI standards,
Requirement 3.2 - Storing sensitive authentication data after authorization. You can only do so if there is a business justification (not likely in this case) and if it is stored securely. Obviously this wasn't met.
Requirement 3.2.2 specifically states not to store CVV information after authorization.
Then there is Requirement 3.4 which goes into PAN data security and the use of STRONG encryption. Again, this obviously wasn't the case.
Requirements 3.5 and 3.6 goes into documenting procedures for key management. Here is where the PCI auditor should have caught the problem.
So when it comes down to it. Requirement 3.x in general was not implemented, nor was it properly audited.
The information security community deserves to know who the PCI auditor is who last signed off on internal safe keeping of customer data.
BnB (not AirBnb)
I rarely stay at fancy hotel. All I need is a quiet comfortable room with a shower (I'll even share plumbing at a private BnB) Wi-Fi and I'm set. I don't hang out in hotel rooms. If I'm away from home, I'm off doing something if I'm not sleeping. I've been using cash to pay for rooms over the last several years after I had a debit card get highjacked while I was on a business trip. A couple of colleagues were able to loan me a few so I could get by until we got back. The bank would only send a replacement card to my home address and it took a couple of weeks to get my balance back even though they caught the fraud right away. Now I pay cash and only use a card as the security if I must. Same goes for petrol. I might use my card, but I keep enough dosh on hand to at least get home even if I have to do it on an empty stomach.
Biting the hand that feeds IT © 1998–2019