Chase Sapphire Reserve℠

Hyatt Data Breach and The Importance of Checking Your Statements

This post contains references to products from one or more of our advertisers. We may receive compensation when you click on links to those products. For an explanation of our Advertising Policy, visit this page.

Update: About a month following Hyatt’s data breach, management has finally released a list of all of its properties that were affected. Management also issued a statement, reading in part:

The investigation identified signs of unauthorized access to payment card data from cards used onsite at certain Hyatt-managed locations, primarily at restaurants, between August 13, 2015 and December 8, 2015. A small percentage of the at-risk cards were used at spas, golf shops, parking, and a limited number of front desks, or provided to a sales office during this time period. The at-risk window for a limited number of locations began on or shortly after July 30, 2015.


The malware was designed to collect payment card data — cardholder name, card number, expiration date and internal verification code — from cards used onsite as the data was being routed through affected payment processing systems. There is no indication that other customer information was affected.

There’s a large list of properties that were affected both in the US and internationally, including the Park Hyatt New YorkPark Hyatt Tokyo, Andaz San Diego, Grand Hyatt Santiago and many more. Click here for a full list of the impacted properties.

Also noted in the statement, Hyatt said it’s offering fraud protection to those affected:

Additionally, Hyatt has arranged for CSID to provide one year of CSID’s Protector services to affected customers at no cost to them. CSID is one of the leading providers of fraud detection solutions and technologies. In order to activate CSID’s Protector coverage, affected customers in the U.S. may visit and affected customers outside the US may visit to complete a secure sign up and enrollment process.

Even if you stayed at a Hyatt property that isn’t on the list or during the given time period, it wouldn’t hurt to monitor your credit card account and carefully review your statements.

Original Post:

Over the holiday, Hyatt announced that it discovered malware on its computer network, specifically affecting the chain’s payment processing system. Of course, the implication is that customer data was compromised, even though the short memo hasn’t confirmed as much. Hyatt will be posting updates to

While it’s too early to say whether you need to take any action, such as requesting a replacement account number, Hyatt’s memo does reinforce an important point that should apply all the time, not only following a potential breach:

As always, we encourage customers to review their payment card account statements closely and to report any unauthorized charges to their card issuer immediately. Payment card rules generally provide that cardholders are not responsible for unauthorized charges that are timely reported.

If you have automatic bill payments set up, it’s easy to miss individual charges on your statement, though it’s still your responsibility to inform a card issuer of unauthorized transactions.

A New York Bar tab because more difficult to swallow when you didn't get to enjoy the drinks.
A New York Bar tab is more difficult to swallow when you didn’t get to enjoy the drinks.

I recommend the following to minimize the work required on your end and make it possible to catch unauthorized charges quickly:

  1. Review your in-house hotel statement carefully at checkout and ask for incorrect charges to be removed before you leave.
  2. Set up email alerts with your card issuer so you’re informed each time a large purchase is charged to your card.
  3. Review your credit card statements at least once a month, including pending charges (as transactions may take several days to post to your bill).

Additionally, while I always travel with my Chase Sapphire Preferred card to earn 2x on travel, I also carry at least one additional card, such as my SPG Amex or Citi Prestige. That way, if my primary card is compromised, I have a backup to use on the trip (although many card issuers will ship you a replacement overnight).

What do you do to prevent unauthorized charges?

Chase Sapphire Preferred® Card

Apply Now
  • Earn 50,000 bonus points after you spend $4,000 on purchases in the first 3 months from account opening. That's $625 toward travel when you redeem through Chase Ultimate Rewards®
  • 2X points on travel and dining at restaurants worldwide & 1 point per dollar spent on all other purchases.
  • Earn 5,000 bonus points after you add the first authorized user and make a purchase in the first 3 months from account opening
  • No foreign transaction fees
  • 1:1 point transfer to leading airline and hotel loyalty programs
  • Get 25% more value when you redeem for airfare, hotels, car rentals and cruises through Chase Ultimate Rewards. For example, 50,000 points are worth $625 toward travel
  • No blackout dates or travel restrictions - as long as there's a seat on the flight, you can book it through Chase Ultimate Rewards
Intro APR Regular APR Annual Fee Foreign Transaction Fee Credit Rating
N/A 16.24%-23.24% Variable Introductory Annual Fee of $0 the first year, then $95 0% Excellent Credit