Hyatt Hotels Corporation is warning any guests who visited their 22 hotels in China between August and December last year to check their card records, after evidence emerged of possible unauthorized access to its payment card data.
"Hyatt encourages customers to review their payment card account statements closely and to report any unauthorized charges to their card issuer immediately," said Lillian Zhang, director of corporate communications at Hyatt Group China.
She said Hyatt had completed its investigation of a previous payment card incident, which identified signs of unauthorized access to payment card data at certain Hyatt-managed locations, primarily at restaurants, between Aug 13 and Dec 8.
A small percentage of the at-risk cards were also used at spas, golf shops, on parking, and at a limited number of front desks during this time period, on or shortly after July 30.
The malware detected, said the company, was designed to collect payment card data－cardholder names, card numbers, expiration dates and internal verification codes－from cards used on-site.
Data were then being routed through affected payment processing systems, but there is no indication that other customer information was affected, it said.
Charlie Dai, principal analyst at Forrester Research Inc, said: "The incident has triggered worries over the safety of customer information held by other global hotel chains, and the effectiveness of their security networks.
"This is not the first time a company has lost key user information and it will defiantly not be the last," said Dai, pointing out the situation appears to be getting worse, as many of the more traditional service industries still get used to putting critical operational data online.
Tang Wei, a security expert at Internet safety company Beijing Rising Information Technology Co Ltd, said thousands of guests could be at risk of having their information stolen in China from Hyatt's networks, despite no reports yet of any financial losses,
"Today's hackers are good at using big data technology to dig information from the personal data they steal. Often they sell the information to other parties, such as online advertisers, rather than stealing money from victims' bank accounts," said Tang.