Hyatt admits credit-card point-of-sale cyber attack

Yet another point-of-sale attack exploiting encryption weaknesses in legacy PCI-DSS standards

High-end hotel chain Hyatt Hotels has warned customers to check their bank statements after admitting that the organisation's payment systems were compromised by hackers between 13 August and 8 December last year.

The warning comes as the hotel chain releases more information about the cyber attack that it disclosed before Christmas, and comes after rival chain Hilton Hotels also admitted falling victim to a similar attack.

In a statement, Hyatt claimed that its investigation had "identified signs of unauthorised access to payment card data... at certain Hyatt-managed locations, primarily at restaurants".

Hyatt had identified point-of-sale malware as the source of the compromise. "The malware was designed to collect payment card data - cardholder name, card number, expiration date and internal verification code - from cards used onsite as the data was being routed through affected payment processing systems," its advisory continued.

The malware exploits a weakness in PCI-DSS payment industry standards that stipulate that payment details must be stored in an encrypted format - but allows it to be processed in memory in a decrypted format. The malware then scoops up the payment details and transmits them to the attackers.

The standards have since been tightened to close this loophole, but the majority of payment systems in operation today haven't been updated accordingly. Indeed, many are still running on the now obsolete Microsoft Windows XP operating system.

At the same time, many parts of the world - the US in particular - have been slow to upgrade credit and debit card technology so that card data is encrypted on a smartcard, rather than left unencrypted on a magnetic stripe.

Naturally, Hyatt global president of operations claimed that the organisation "take[s] the security of customer data very seriously", and added: "We want to assure customers that we took steps to strengthen the security of our systems in order to help prevent this from happening in the future."

Hotels are often targeted by attackers as they typically keep credit and debit card details on file for the duration of an individual's stay in order to cover incidentals, suggested Mark Bower, global director of product management at HPE Security, part of Hewlett Packard Enterprise.

"Card-on-file transactions are common, meaning card data is often stored longer than typical, to maintain customer bookings and for resort service charges after check-in. Online booking systems often channel card data from various sources and third parties over the internet, creating additional possible points of compromise," said Bower.

He continued: "It appears a good portion of breached data came from the restaurant side of the hotel chains facilities. These are often integrated point-of-sale environments running applications in an environment that is not as secure as modern hardened payment terminals designed to capture payment data and implement encryption independent from the POS itself.

"Such POS systems are thus a target for payment-specific malware. Many quick service and restaurant organisations have implemented newer data-centric security in these platforms by the addition of new card reading systems which encrypt the data before it arrives into the POS itself."

Bower added that the shift towards EMV-standard chip cards ought to encourage retailers, hotels and anyone else running point-of-sale systems to upgrade their software accordingly to ensure end-to-end encryption for transactions.

"If the POS is compromised with this approach, the attackers get nothing," he said, adding that it was "realistically the only way to avoid POS malware... Traditional approaches of monitoring and anti-virus will only be effective until the next undetectable malware arrives."