Hyatt says 250 hotels hit by data breach, including nine in D.C. area

Hyatt Hotels admitted Thursday that a previously disclosed cybersecurity incident had affected the payment systems used at about 250 of the chain’s 630 properties, including nine in the greater D.C. region.

Although the hotel chain acknowledged in late December that it had discovered malicious software on select Hyatt computers a month earlier, this week’s announcement marks the first time the company has outlined the extent of the cyberattack.

Malware designed to collect payment data, including names, card numbers, expiration dates and verification codes had been discovered primarily on payment processing systems used in Hyatt restaurants, the company said, but had also infected the computers used in certain spas, golf shops, parking facilities and hotel front desks.

The malware made its way onto the systems on or shortly after July 30, Hyatt said, and went roughly five months without being detected.

Among the affected properties are three hotels in D.C. — Grand Hyatt Washington, Hyatt Regency Washington on Capitol Hill and Park Hyatt Washington. Payment systems used by Hyatt-owned hotels at four Virginia locations — Arlington, Herndon, Reston and Tysons Corner — as well as in Baltimore and Bethesda, Maryland, had also been compromised.

Hyatt did not say immediately how many cardholders had been affected by the malware.

Chuck Floyd, global president of operations for Hyatt Hotels Corp, said customers should “remain vigilant and to review your payment card account statements closely

“Protecting customer information is critically important to Hyatt, and we take the security of customer data very seriously,” he said in a statement. “We have been working tirelessly to complete our investigation, and we now have more complete information that we want to share so that customers can take steps to protect themselves. Additionally, we want to assure customers that we took steps to strengthen the security of our systems in order to help prevent this from happening in the future.”

Hyatt said last month that it had launched a probe immediately after discovering the breach and has brought on third-party cybersecurity experts as well as federal investigators. Alongside Starwood, Trump Hotel Collection and Mandarin Oriental, Hyatt is among a slew of major hotel chains hacked with the past several months.