[Owasp-board] Hyatt Data Breach

Andrew van der Stock vanderaj at owasp.org
Mon Jan 18 05:54:24 UTC 2016

So the hotel we used was one of those breached. Anyone who stayed
additional days, used the hotel's parking, gym, and other amenities might
be at risk.

Do we make a statement to owasp-community? I think we owe them that at
least, something along the lines of:

"OWASP uses a conference registration payments system that is separate to

However, our hotel for AppSec USA 2015 was one of those Hyatt has indicated
was breached:

   - Payments made to OWASP through our conference registration system are
   not part of the Hyatt breach
   - If you used your card directly at Hyatt for items such as gym access,
   car parking and so on, you might have been breached
   - Check your credit card statements for any suspicious activity
   - If you do spot suspicious activity, please contact your bank and Hyatt

For more information about the breach, please see


On Tue, Jan 5, 2016 at 3:35 AM, Paul Ritchie <paul.ritchie at owasp.org> wrote:

> Hi Josh, All.
> On the OWASP Foundation side our Conference registration system for
> payments for attendees to training and seminars is not via Hyatt.
> We generally use the 3rd party apps through our Sales Force DB, or via
> OWASP's RegOnline acct.
> Occasionally we "may" pay some hotel catering or A/V bills via the OWASP
> Credit card.....but we also do a reconciliation of the OWASP Credit card
> statement, ** every single month **.
> I can see some potential risk to our attendees, if they used their
> personal credit cards to pay for hotel sleeping rooms, etc. at a Hyatt.
> So, if they did find a fraudulent charge on their personal card, they'd
> need to take that up with Hyatt directly.
> Paul
> Best Regards, Paul Ritchie
> OWASP Executive Director
> paul.ritchie at owasp.org
> On Mon, Jan 4, 2016 at 7:11 AM, Josh Sokol <josh.sokol at owasp.org> wrote:
>> I know that we've used Hyatt for a few conferences.  I wonder how this
>> may affect us or our attendees?
>> --Hyatt Hotels Says Malware Found on Payment Systems
>> (December 23 & 24, 2015)
>> Add Hyatt to the list of hotels that has found malware on its payment
>> systems. Hyatt disclosed the breach on December 23, 2015, but did not
>> say how many of its properties were affected. The malware is designed to
>> steal payment card information. Hyatt has called in an outside company
>> to investigate.
>> http://krebsonsecurity.com/2015/12/malware-driven-card-breach-at-hyatt-hotels/
>> http://www.nbcnews.com/tech/security/hyatt-hotels-notifies-customers-malware-found-payment-systems-n485351
>> http://www.bbc.com/news/technology-35175263
>> http://thehill.com/policy/cybersecurity/264182-hyatt-hotels-hit-by-hackers
>> http://www.hyatt.com/protectingourcustomers/
>> ~josh
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160118/c84e3772/attachment.html>

More information about the Owasp-board mailing list