Hyatt’s Indian hotels hit by global malware attack

18 Jan 2016

American hotel chain Hyatt Hotels Corporation said its properties in India were also hit by a malware that was found on its customer payments system last year in December.

The hotel chain released a list of hotels which were attacked by the malware, with 20 of its Indian hotels – 90 per cent of its Indian portfolio as of December - being victim of the attack.

As many as 250 Hyatt hotels globally, all of which it manages directly, had been infected by the malware between 13 August 2015, and 8 December 2015 within payment-processing systems at its restaurants, spas, front desks, parking and other areas in its hotels.

"The malware was designed to collect payment card data - cardholder's name, card number, expiration date and internal verification code - from cards used onsite as the data was being routed through affected payment processing systems," Hyatt's global president of operations Chuck Floyd said in a statement.

The malware was found at many of the hotel chain's brands, including the Park Hyatt, Hyatt Regency and Andaz. The United States, China and India are at the top of the list for malware-ridden hotel systems, with 99, 22 and 20 infected properties respectively. Hyatt Hotels currently operates 23 properties in the country.

A spokeswoman for Hyatt Hotels in India said the company did not have any specific comments for the payment breach at its Indian hotels as the entire investigation was being handled by the global operations team.

Hyatt is in the process of informing customers by post or email and has also notified the law enforcement and payment card networks where a cardholder's name was affected during transactions. Floyd said the company is working with fraud detection solution and technology firm CSID to offer one year's free coverage of credit card monitoring for the affected customers.

Industry trackers said that the IT vulnerability of many hotel chains may have been exposed after Hyatt - controlled by the billionaire Pritzker family - became the fifth major hotel group to have customers' credit card details hacked. In 2015, Hilton Worldwide, Starwood Hotels, Mandarin Oriental and Trump Hotel Collection were all hit by payment information breaches.

In all the instances where hotel chains were attacked, the target was the sensitive customer information which was accessed through the point of sale system through a malware.

"In these cases, the point of sale systems was targeted through malware to get customer credit cards details. Such malware extracts card details from the memory of the point of sale system, known as 'RAM-scraping'. An example of this kind of malware is 'BlackPOS', which has been successfully used before to hack into the POS systems. In order to infect these POS systems, the hackers usually target the corporate network first and then find their way into systems being used for payment processing," said Mukul Shrivastava, partner, fraud investigation and dispute services, EY.

In most of the cases, a malware is sent to the hotel networks either through emails attachments or - in some recent cases - through the hotel WiFi networks, said cyber experts. One of the latest entrants in a slew of malwares targeted at hotels is 'darkhotel'. The malware is said to be used by hackers to spy on business travellers/corporates, who conduct meetings in top hotels. The modus operandi of the hackers is to gain access to computers or phones of the corporate, while using the hotel's  WiFi services.

"Hotel operators often leave the security of their data to the IT team alone, which can in some cases be a mistake. IT teams often lack the resources and skills to secure the data. Moreover, they see it as a technical problem whereas in reality it is a criminal problem which needs to be dealt with holistically with all the management teams, including HR, legal and finance, understanding and meeting the threat from perpetrators of cyber-crime," said Gaurav Taneja, managing director for crisis and South Asia at Control Risks, a global risk and strategic consulting firm.

Industry experts say as hotels adopt more IT-centric operations, be it for loyalty programmes or advanced check-ins, they are increasingly becoming vulnerable to cyber security threats.

"It is likely that more companies (hotel) will be targeted in future as hackers require fresh set of credit card details to sell in the black market," said Shrivastava.