Hyatt Data Breach and The Importance of Checking Your Statements

Dec 26, 2015

This post contains references to products from one or more of our advertisers. We may receive compensation when you click on links to those products. Terms apply to the offers listed on this page. For an explanation of our Advertising Policy, visit this page.

Update: Some offers mentioned below are no longer available. View the current offers here.

Update: About a month following Hyatt’s data breach, management has finally released a list of all of its properties that were affected. Management also issued a statement, reading in part:

The investigation identified signs of unauthorized access to payment card data from cards used onsite at certain Hyatt-managed locations, primarily at restaurants, between August 13, 2015 and December 8, 2015. A small percentage of the at-risk cards were used at spas, golf shops, parking, and a limited number of front desks, or provided to a sales office during this time period. The at-risk window for a limited number of locations began on or shortly after July 30, 2015.

 

The malware was designed to collect payment card data — cardholder name, card number, expiration date and internal verification code — from cards used onsite as the data was being routed through affected payment processing systems. There is no indication that other customer information was affected.

There’s a large list of properties that were affected both in the US and internationally, including the Park Hyatt New YorkPark Hyatt Tokyo, Andaz San Diego, Grand Hyatt Santiago and many more. Click here for a full list of the impacted properties.

Also noted in the statement, Hyatt said it’s offering fraud protection to those affected:

Additionally, Hyatt has arranged for CSID to provide one year of CSID’s Protector services to affected customers at no cost to them. CSID is one of the leading providers of fraud detection solutions and technologies. In order to activate CSID’s Protector coverage, affected customers in the U.S. may visit www.csid.com/hyatt-us and affected customers outside the US may visit www.csid.com/hyatt-intl to complete a secure sign up and enrollment process.

Even if you stayed at a Hyatt property that isn’t on the list or during the given time period, it wouldn’t hurt to monitor your credit card account and carefully review your statements.

Original Post:

Over the holiday, Hyatt announced that it discovered malware on its computer network, specifically affecting the chain’s payment processing system. Of course, the implication is that customer data was compromised, even though the short memo hasn’t confirmed as much. Hyatt will be posting updates to hyatt.com/protectingourcustomers.

While it’s too early to say whether you need to take any action, such as requesting a replacement account number, Hyatt’s memo does reinforce an important point that should apply all the time, not only following a potential breach:

As always, we encourage customers to review their payment card account statements closely and to report any unauthorized charges to their card issuer immediately. Payment card rules generally provide that cardholders are not responsible for unauthorized charges that are timely reported.

If you have automatic bill payments set up, it’s easy to miss individual charges on your statement, though it’s still your responsibility to inform a card issuer of unauthorized transactions.

A New York Bar tab because more difficult to swallow when you didn
A New York Bar tab is more difficult to swallow when you didn’t get to enjoy the drinks.

I recommend the following to minimize the work required on your end and make it possible to catch unauthorized charges quickly:

  1. Review your in-house hotel statement carefully at checkout and ask for incorrect charges to be removed before you leave.
  2. Set up email alerts with your card issuer so you’re informed each time a large purchase is charged to your card.
  3. Review your credit card statements at least once a month, including pending charges (as transactions may take several days to post to your bill).

Additionally, while I always travel with my Chase Sapphire Preferred card to earn 2x on travel, I also carry at least one additional card, such as my Starwood Preferred Guest Credit Card from American Express or Citi Prestige. That way, if my primary card is compromised, I have a backup to use on the trip (although many card issuers will ship you a replacement overnight).

What do you do to prevent unauthorized charges?

Editorial Disclaimer: Opinions expressed here are the author’s alone, not those of any bank, credit card issuer, airlines or hotel chain, and have not been reviewed, approved or otherwise endorsed by any of these entities.

Disclaimer: The responses below are not provided or commissioned by the bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by the bank advertiser. It is not the bank advertiser’s responsibility to ensure all posts and/or questions are answered.