Hyatt Hotels Corp. has proven that the adage “once bitten, twice shy” is inaccurate after revealing that its payment system was hacked and customer data such as credit card details were stolen.

It was the latest significant hack to target the hotel chain since its last data breach in December 2015.

Hyatt fully disclosed the hack and its details, saying that it involved “unauthorized access” to payment card information from cards manually entered or swiped at the front desk of certain Hyatt-managed locations between March 18 and July 2. The Hyatt hotels affected span the globe, with the majority, 18, located in China but also including Hyatt properties in Southeast Asia, South America and the United States.

“Based on our investigation, we understand that such unauthorized access to card data was caused by an insertion of malicious software code from a third party onto certain hotel IT systems,” Chuck Floyd, Hyatt’s head of global operations said in a statement. “Our enhanced cybersecurity measures and additional layers of defense implemented over time helped to identify and resolve the issue.”

Steve Moore, vice president and chief security strategist at Exabeam Inc., praised Hyatt for its public disclosure, adding that the fact that they discovered the breach themselves was a positive.

“I credit them first for self-discovery,” he said. “Several interesting things include the location of affected hotels, specifically China and the fact that the infection point was from ‘cards manually entered or swiped at the front desk.'”

Explaining the likely attack vector, Moore added that “in several public cases, adversaries will call the front desk complaining of an issue and send an email with supporting information, containing VBScript or macros that download malware and continue with password stealing and enabling remote desktop access. Alternatively, physical access could have resulted in a similar initial infection: old methods such as ‘may I use your computer’ or tossing about malware-laden USB drives.”

Image: Pixabay