[Owasp-board] Hyatt Data Breach

Jim Manico jim.manico at owasp.org
Tue Jan 19 14:53:08 UTC 2016


+1 do it

On 1/18/16 12:54 AM, Andrew van der Stock wrote:
> So the hotel we used was one of those breached. Anyone who stayed 
> additional days, used the hotel's parking, gym, and other amenities 
> might be at risk.
>
> Do we make a statement to owasp-community? I think we owe them that at 
> least, something along the lines of:
>
> "OWASP uses a conference registration payments system that is separate 
> to Hyatt.
>
> However, our hotel for AppSec USA 2015 was one of those Hyatt has 
> indicated was breached:
>
>   * Payments made to OWASP through our conference registration system
>     are not part of the Hyatt breach
>   * If you used your card directly at Hyatt for items such as gym
>     access, car parking and so on, you might have been breached
>   * Check your credit card statements for any suspicious activity
>   * If you do spot suspicious activity, please contact your bank and
>     Hyatt directly
>
>
> For more information about the breach, please see 
> http://www.hyatt.com/protectingourcustomers/
>
> Thoughts?
>
> On Tue, Jan 5, 2016 at 3:35 AM, Paul Ritchie <paul.ritchie at owasp.org 
> <mailto:paul.ritchie at owasp.org>> wrote:
>
>     Hi Josh, All.
>
>     On the OWASP Foundation side our Conference registration system
>     for payments for attendees to training and seminars is not via Hyatt.
>     We generally use the 3rd party apps through our Sales Force DB, or
>     via OWASP's RegOnline acct.
>     Occasionally we "may" pay some hotel catering or A/V bills via the
>     OWASP Credit card.....but we also do a reconciliation of the OWASP
>     Credit card statement, ** every single month **.
>
>     I can see some potential risk to our attendees, if they used their
>     personal credit cards to pay for hotel sleeping rooms, etc. at a
>     Hyatt.  So, if they did find a fraudulent charge on their personal
>     card, they'd need to take that up with Hyatt directly.
>     Paul
>
>     Best Regards, Paul Ritchie
>     OWASP Executive Director
>     paul.ritchie at owasp.org <mailto:paul.ritchie at owasp.org>
>
>
>     On Mon, Jan 4, 2016 at 7:11 AM, Josh Sokol <josh.sokol at owasp.org
>     <mailto:josh.sokol at owasp.org>> wrote:
>
>         I know that we've used Hyatt for a few conferences.  I wonder
>         how this may affect us or our attendees?
>
>         --Hyatt Hotels Says Malware Found on Payment Systems
>         (December 23 & 24, 2015)
>         Add Hyatt to the list of hotels that has found malware on its
>         payment
>         systems. Hyatt disclosed the breach on December 23, 2015, but
>         did not
>         say how many of its properties were affected. The malware is
>         designed to
>         steal payment card information. Hyatt has called in an outside
>         company
>         to investigate.
>         http://krebsonsecurity.com/2015/12/malware-driven-card-breach-at-hyatt-hotels/
>         http://www.nbcnews.com/tech/security/hyatt-hotels-notifies-customers-malware-found-payment-systems-n485351
>         http://www.bbc.com/news/technology-35175263
>         http://thehill.com/policy/cybersecurity/264182-hyatt-hotels-hit-by-hackers
>         http://www.hyatt.com/protectingourcustomers/
>
>         ~josh
>
>
>
>     _______________________________________________
>     Owasp-board mailing list
>     Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160119/8ba26dcb/attachment.html>


More information about the Owasp-board mailing list