Three Hyatt hotels in Hong Kong hit by malware designed to steal credit card data

Chain says hundreds of locations affected worldwide, including 22 in mainland China, one in Macau, and one in Taipei

PUBLISHED : Friday, 15 January, 2016, 10:15am
UPDATED : Saturday, 16 January, 2016, 3:30am

Thieves hacked into computers at high-end Hong Kong hotels, harvesting customers’ credit card details for almost four months, it has been revealed.

Three hotels operated by Hyatt in Hong Kong and 22 on the mainland were affected by malware designed to steal customers’ card data, the hotel chain said.

Hyatt Hotels said its investigation identified signs of unauthorised access to payment card data from cards used at certain Hyatt-managed locations, primarily restaurants, between August 13, 2015 and December 8, 2015.

A small number of those cards were used at spas, golf shops, parking, and a limited number of front desks, or provided to a sales office, it said.

Hyatt Regency Hong Kong in Sha Tin, Grand Hyatt Hong Kong and Kowloon Hyatt Regency in Tsim Sha Tsui were among 200 affected hotels worldwide. The chain operates 627 hotels, resorts and properties in 52 countries.

The malware also affected one hotel in Macau.

The company could not provide figures on how many guests had been affected in the three local hotels, but a spokesman said the chain was working with local authorities to look into the cases.

It said the malware collected data including cardholder name, card number, expiration date and internal verification code as it was being routed through payment processing systems.

READ MORE: Hong Kong Hello Kitty fan site left user details exposed, but no personal data stolen, say owners

There was no indication that other customer information was affected, it said, adding that it was working with cyber security experts to strengthen security.

The Office of the Privacy Commissioner for Personal Data said yesterday it was investigating the incident, which has also been reported to police and the payment card networks

Hyatt discovered the malware in late December, on computers that operated its payment processing systems and launched an investigation with the help of cybersecurity experts.

One such expert, Kenneth Wong, risk assurance partner at PwC Hong Kong, said cyberattacks posed an increasing threat to corporate computers in recent years as hackers’ tactics had become more sophisticated.

He said some advanced malware could evade security software and be implanted in point-of-sales devices before transmitting their data.

He said companies usually had security software to protect their computer networks, but they would also need to update the configuration regularly and have a specialist team monitoring the protection system closely.

“Some companies often only look at incoming traffic. It would be helpful to also monitor and be aware of sudden and enormous surges in outgoing traffic that are signs of possible hacking,” Wong said.

He added that card users who suspect their data might have been stolen should go through their card statements to check for any suspicious transactions.