15-Week Malware Attack Stole Card Data From 41 Hotels Across 11 Countries
For the second time since 2015, Hyatt Hotels has suffered a breach of customers’ payment card data due to attackers infecting its IT systems with malware.
See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach
The Chicago-based hotel chain says the latest breach lasted for more than three months this year and affected a total of 41 properties in 11 countries.
The breach ran from March 18 to July 2, when Hyatt discovered the intrusion, according to a Hyatt data breach notification issued Thursday by Chuck Floyd, global president of operations at the hotel chain.
“Hyatt’s cybersecurity team discovered signs of and then resolved unauthorized access to payment card information from cards manually entered or swiped at the front desk of certain Hyatt-managed locations,” according to Hyatt’s breach FAQ. “Upon discovery, we launched a comprehensive investigation to understand what happened and how this occurred, including engaging leading third-party experts, payment card networks and authorities.”
That investigation discovered malware infections at 41 properties – including 18 in China, which was the most affected country. In the United States, seven properties were breached, including three in Hawaii, three in Puerto Rico and one in Guam. Other affected countries included Brazil, Columbia, India, Indonesia, Japan, Malaysia, Mexico, Saudi Arabia and South Korea.
Hyatt says it appears that only data from payment cards – comprising the cardholder name, card number, expiration date and internal verification code – was stolen. “There is no indication that any other information was involved,” Hyatt says.
The hotel chain didn’t immediately respond to a request for comment about whether the malware had infected point-of-sale systems or some other part of its IT infrastructure, or how attackers were able to infiltrate its network.
But Hyatt’s claims that its information security investments helped it resolve the infection expeditiously. “Our enhanced cybersecurity measures and additional layers of defense implemented over time helped to identify and resolve the issue,” Floyd says.
The hotel chain did not immediately respond to a request for comment about how its “enhanced cybersecurity and additional layers of defense” left the breach unspotted for more than three months.
Breach Victim Count: Unknown
Hyatt does not know how bad the breach might be. “While we estimate that the incident affected a small percentage of payment cards used by guests who visited the group of affected Hyatt hotels during the at-risk time period, the available information and data does not allow Hyatt to identify each specific payment card that may have been affected,” Floyd says.
Hence the hotel chain says that anyone who checked into an infected Hyatt hotel will have been “directly contacted” by Hyatt, if it has the customer’s contact details. For anyone who stayed at an infected property, meanwhile, Hyatt recommends that they “review their payment card account statements closely and report any unauthorized charges to their card issuer immediately.”
Hyatt’s new breach alert follows the hotel chain having suffered another POS malware infection in 2015. That breach lasted for four months and affected 250 Hyatt hotels across 50 countries.
POS Breach Analysis
While Hyatt’s breach notification suggests that its in-house security team discovered the most recent POS breach, according to FireEye’s Mandiant, 47 percent of all breached organizations learn about the intrusion thanks to an external source.
In the case of POS breaches, Verizon’s “2017 Data Breach Investigations Report” says the when an organization learns about the intrusion from an external source, it’s most often via card issuers’ fraud-detection teams, followed by law enforcement agencies and the organization’s own customers.
Verizon’s study includes an analysis of 175 point-of-sale breaches and found that about two-thirds involved attackers using stolen credentials to remotely access a POS environment and install malware. About one-third of POS intrusions resulted from attackers using brute-force attacks to guess usernames and passwords to gain access to the environment.
While attackers may use different types of POS malware, security experts say that it is functionally very similar. In 95 percent of the attacks studied by Verizon, POS malware scraped data from running memory, meaning it could intercept card data before it might have been encrypted and stored. About half of all POS breaches seen last year also included keylogger functionality, although Verizon says most of these attacks involved a single strain of malware that included both memory-scraping as well as keylogging capabilities.
Hyatt’s breach notification, which notes that compromised card data included not only cards that were swiped but also manually entered, suggests that this dual-capability malware was used. One such example of this type of malware is Poseidon, or PoSeidon, which was discovered in 2015 and includes a loader, a memory scraper as well as a keylogger (see Why POS Malware Still Works).
Most POS malware also includes the ability to connect to a command-and-control network to relay exfiltrated card data to attackers.
Hospitality Sector Breach Epidemic
The hospitality sector, including hotels and restaurants, is continuing to experience a breach epidemic.
In July, Trump Hotels warned that it had suffered its third payment card breach in as many years, saying attackers had been compromising card data at 14 of its properties for seven months (see Trump Hotels Suffers Another Payment Card Breach).
In April, Intercontinental Hotels Group warned that malware had infected POS devices at 1,200 of its locations – including Crowne Plaza, Intercontinental, Kimpton and Holiday Inn properties – beginning in September 2016.
Other hotels that have been breached include HEI Hotels & Resorts – which manages some hotels owned by IHG – as well as Hilton, Omni Hotels & Resorts and Starwood Hotels and Resorts, among others.
Attackers have also sabotaged third-party POS service providers, including Oracle, to steal card data. In August of last year Oracle warned that an attacker planted malware in a support portal for servicing and maintaining its MICROS POS systems – one of the mostly widely used POS systems in the world, with 330,000 customers in 180 countries.