Hyatt launches bug bounty programme to uncover security vulnerabilities
11 January 2019
Soon after Marriott International announced that a massive data breach it suffered last year compromised approximately 383 million data records, including 5.25 million unique unencrypted passport numbers, Hyatt announced that it is launching a new bug bounty programme to plug security weaknesses in its customer-facing platforms.
Launched in partnership with HackerOne, the bug bounty programme will involve Hyatt inviting ethical hackers to snuff out unpatched security vulnerabilities in its mobile applications for iOS and Android operating systems and websites such as Hyatt.com, m.hyatt.com, and world.hyatt.com.
“At Hyatt, protecting guest and customer information is our top priority and launching this program represents an important step that furthers our goal of keeping our guests safe every day. As one of the first global hospitality brands to launch this type of programme, we extend the ways we care for our guests and deepen our commitment to protecting their sensitive information,” said Benjamin Vaughn, the chief information security officer at Hyatt.
“Bug bounty programs are a proven method for advancing an organization’s cyber security defenses, trusted by leading enterprises across industries. In today’s connected society, vulnerabilities will always be present. Organizations like Hyatt are leading the way by taking this essential step to secure the data they are trusted to hold,” said Marten Mickos CEO of HackerOne.
Hyatt deployed unified software to plug server issues
Recently, Hyatt deployed Splunk Enterprise and the Splunk Machine Learning Toolkit in a move to centralise solutions to monitor and troubleshoot server issues and improve application delivery. The adoption of these solutions has enabled the hotel chain to maintain greater visibility over 700 different servers and enabled developers to identify issues in quick time.
The new bug bounty programme launched by Hyatt could also prevent a repeat of the scale of highly-publicised breaches it suffered twice in the past our years. Back in 2015, hackers were able to access credit card systems at 250 Hyatt hotels across 50 countries for as long as four months without getting detected.
Between March and July 2017, suspected hackers were able to access payment card information of customers at several Hyatt hotels located in China, Brazil, the United States, India, Japan, Malaysia and several other countries. In all, a total of 41 properties across 11 countries were affected by the breach.
According to Hyatt, the hackers were able to access details of payment cards which were either swiped or manually entered at the front desk of the affected hotels. Details accessed by the hackers included cardholder names, card numbers, verification codes and expiration dates.
“Hyatt’s layers of defense and other cybersecurity measures helped to identify and resolve the issue. While this incident affects a small percentage of total payment cards used at the affected hotels during the at-risk dates,” said the hotel group.