[Owasp-board] Hyatt Data Breach

Paul Ritchie paul.ritchie at owasp.org
Mon Jan 18 16:46:39 UTC 2016

Josh, Andrew, all:

Under the theory, better late than never.....I can have a short message
drafted up today and have it distributed out to all Attendees of the
AppSec2015 event in San Francisco.


Best Regards, Paul Ritchie
OWASP Executive Director
paul.ritchie at owasp.org

On Mon, Jan 18, 2016 at 5:41 AM, Josh Sokol <josh.sokol at owasp.org> wrote:

> I saw DerbyCon issue a similar statement as they were affected by it as
> well.  I think that it would be a good "heads up" considering the community
> that we serve.
> ~josh
> On Sun, Jan 17, 2016 at 11:54 PM, Andrew van der Stock <vanderaj at owasp.org
> > wrote:
>> So the hotel we used was one of those breached. Anyone who stayed
>> additional days, used the hotel's parking, gym, and other amenities might
>> be at risk.
>> Do we make a statement to owasp-community? I think we owe them that at
>> least, something along the lines of:
>> "OWASP uses a conference registration payments system that is separate to
>> Hyatt.
>> However, our hotel for AppSec USA 2015 was one of those Hyatt has
>> indicated was breached:
>>    - Payments made to OWASP through our conference registration system
>>    are not part of the Hyatt breach
>>    - If you used your card directly at Hyatt for items such as gym
>>    access, car parking and so on, you might have been breached
>>    - Check your credit card statements for any suspicious activity
>>    - If you do spot suspicious activity, please contact your bank and
>>    Hyatt directly
>> For more information about the breach, please see
>> http://www.hyatt.com/protectingourcustomers/
>> Thoughts?
>> On Tue, Jan 5, 2016 at 3:35 AM, Paul Ritchie <paul.ritchie at owasp.org>
>> wrote:
>>> Hi Josh, All.
>>> On the OWASP Foundation side our Conference registration system for
>>> payments for attendees to training and seminars is not via Hyatt.
>>> We generally use the 3rd party apps through our Sales Force DB, or via
>>> OWASP's RegOnline acct.
>>> Occasionally we "may" pay some hotel catering or A/V bills via the OWASP
>>> Credit card.....but we also do a reconciliation of the OWASP Credit card
>>> statement, ** every single month **.
>>> I can see some potential risk to our attendees, if they used their
>>> personal credit cards to pay for hotel sleeping rooms, etc. at a Hyatt.
>>> So, if they did find a fraudulent charge on their personal card, they'd
>>> need to take that up with Hyatt directly.
>>> Paul
>>> Best Regards, Paul Ritchie
>>> OWASP Executive Director
>>> paul.ritchie at owasp.org
>>> On Mon, Jan 4, 2016 at 7:11 AM, Josh Sokol <josh.sokol at owasp.org> wrote:
>>>> I know that we've used Hyatt for a few conferences.  I wonder how this
>>>> may affect us or our attendees?
>>>> --Hyatt Hotels Says Malware Found on Payment Systems
>>>> (December 23 & 24, 2015)
>>>> Add Hyatt to the list of hotels that has found malware on its payment
>>>> systems. Hyatt disclosed the breach on December 23, 2015, but did not
>>>> say how many of its properties were affected. The malware is designed to
>>>> steal payment card information. Hyatt has called in an outside company
>>>> to investigate.
>>>> http://krebsonsecurity.com/2015/12/malware-driven-card-breach-at-hyatt-hotels/
>>>> http://www.nbcnews.com/tech/security/hyatt-hotels-notifies-customers-malware-found-payment-systems-n485351
>>>> http://www.bbc.com/news/technology-35175263
>>>> http://thehill.com/policy/cybersecurity/264182-hyatt-hotels-hit-by-hackers
>>>> http://www.hyatt.com/protectingourcustomers/
>>>> ~josh
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160118/eb32a2ac/attachment-0001.html>

More information about the Owasp-board mailing list