Hyatt says data breach started in August

[LONDON] Hyatt Hotels Corp said a previously reported malware attack to steal payment card data occurred between August 13 and Dec 8, primarily at its restaurants.

The hotel operator listed affected locations worldwide and the period when they were at risk, on its website.

"We do not know the number of customers affected at this time," company spokeswoman Stephanie Sheppard said in an email.

The hotel operator said on Thursday it identified unauthorized access to data on cards used at certain Hyatt-managed locations, primarily its restaurants.

The company also said the "at-risk window" for a limited number of locations began on or shortly after July 30.

The malware was designed to collect data such as cardholder name, card number, expiration date and internal verification code, the company said.

Hyatt said it has notified the appropriate country and state regulators and is working with the US Federal Bureau of Investigation.

Shares of Hyatt closed down 3 per cent at US$38.67. Up to Wednesday's close, they had lost about a fifth of their value since the data breach was announced.

Hyatt said it has arranged an identity protection and fraud detection firm to provide one year of free services to affected customers. The company disclosed in December that its payment processing system was infected with malware but did not mention how long its network was infected.

Hyatt, controlled by the billionaire Pritzker family, is the fourth major hotel operator to warn of a breach since October.

Hilton Worldwide Holdings Inc and Starwood Hotels & Resorts Worldwide Inc disclosed attacks on payment processing systems in November.

Donald Trump's luxury hotel chain, Trump Hotel Collection, also confirmed the possibility of a data security incident.

REUTERS