[Owasp-board] Hyatt Data Breach

Josh Sokol josh.sokol at owasp.org
Mon Jan 18 13:41:36 UTC 2016

I saw DerbyCon issue a similar statement as they were affected by it as
well.  I think that it would be a good "heads up" considering the community
that we serve.


On Sun, Jan 17, 2016 at 11:54 PM, Andrew van der Stock <vanderaj at owasp.org>

> So the hotel we used was one of those breached. Anyone who stayed
> additional days, used the hotel's parking, gym, and other amenities might
> be at risk.
> Do we make a statement to owasp-community? I think we owe them that at
> least, something along the lines of:
> "OWASP uses a conference registration payments system that is separate to
> Hyatt.
> However, our hotel for AppSec USA 2015 was one of those Hyatt has
> indicated was breached:
>    - Payments made to OWASP through our conference registration system
>    are not part of the Hyatt breach
>    - If you used your card directly at Hyatt for items such as gym
>    access, car parking and so on, you might have been breached
>    - Check your credit card statements for any suspicious activity
>    - If you do spot suspicious activity, please contact your bank and
>    Hyatt directly
> For more information about the breach, please see
> http://www.hyatt.com/protectingourcustomers/
> Thoughts?
> On Tue, Jan 5, 2016 at 3:35 AM, Paul Ritchie <paul.ritchie at owasp.org>
> wrote:
>> Hi Josh, All.
>> On the OWASP Foundation side our Conference registration system for
>> payments for attendees to training and seminars is not via Hyatt.
>> We generally use the 3rd party apps through our Sales Force DB, or via
>> OWASP's RegOnline acct.
>> Occasionally we "may" pay some hotel catering or A/V bills via the OWASP
>> Credit card.....but we also do a reconciliation of the OWASP Credit card
>> statement, ** every single month **.
>> I can see some potential risk to our attendees, if they used their
>> personal credit cards to pay for hotel sleeping rooms, etc. at a Hyatt.
>> So, if they did find a fraudulent charge on their personal card, they'd
>> need to take that up with Hyatt directly.
>> Paul
>> Best Regards, Paul Ritchie
>> OWASP Executive Director
>> paul.ritchie at owasp.org
>> On Mon, Jan 4, 2016 at 7:11 AM, Josh Sokol <josh.sokol at owasp.org> wrote:
>>> I know that we've used Hyatt for a few conferences.  I wonder how this
>>> may affect us or our attendees?
>>> --Hyatt Hotels Says Malware Found on Payment Systems
>>> (December 23 & 24, 2015)
>>> Add Hyatt to the list of hotels that has found malware on its payment
>>> systems. Hyatt disclosed the breach on December 23, 2015, but did not
>>> say how many of its properties were affected. The malware is designed to
>>> steal payment card information. Hyatt has called in an outside company
>>> to investigate.
>>> http://krebsonsecurity.com/2015/12/malware-driven-card-breach-at-hyatt-hotels/
>>> http://www.nbcnews.com/tech/security/hyatt-hotels-notifies-customers-malware-found-payment-systems-n485351
>>> http://www.bbc.com/news/technology-35175263
>>> http://thehill.com/policy/cybersecurity/264182-hyatt-hotels-hit-by-hackers
>>> http://www.hyatt.com/protectingourcustomers/
>>> ~josh
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160118/c1a07539/attachment-0001.html>

More information about the Owasp-board mailing list