On Tuesday, Hyatt alerted some 200 customers that their Gold Passport account had been flagged for suspicious activity, while the other 18 million members have had their account passwords reset out of an abundance of caution.
“As part of Hyatt Gold Passport’s routine monitoring of member account activity, we found a small number of accounts were accessed by an unauthorized individual utilizing member usernames and passwords,” the hotel chain explained in a letter to program members.
“We have no reason to believe, at this time, the login information was obtained through Hyatt Gold Passport, and we continue to analyze and monitor our systems. We have reached out to members we know have been affected to resolve any concerns.”
The letter goes on to say that in order to “enhance account security” passwords connected to a given username have been reset. This means that when any of the more than 18 million members access their account with a username rather than their account number, they’ll be prompted to reset their password.
“We strongly recommend that you reset your username and password to a unique combination not used elsewhere. You will not be able to access your account online until you change your password.”
Those with questions are encouraged to call 800.228.3360, or their local Hyatt.
In a statement, Trey Ford, Global Security Strategist for Rapid7, pointed out that Hyatt did the right thing when it comes to this type of disclosure. Compared to the other disclosures from organizations that have experienced a security incident this year, Hyatt's is simple and honest.
"Transparency is one of the most effective ways to build trust with customers. Hyatt’s client notification on the unauthorized access of Hyatt Gold Passport accounts wasn’t just good for establishing trust – they are educating and building loyalty. The company explained what happened, how they found the issue, and what steps customers should take to protect themselves.
"Hyatt took action without being alarmist or cryptic, and were instead straightforward and meaningful. The more we see companies communicate like this around security issues, the more we move the industry forward."