Odd: My World Of Hyatt Account Was Compromised

Filed Under: Hyatt

Major data breaches seem to be pretty commonplace nowadays, to the point that I’m valuing my Social Security number at about five bucks nowadays.

Typically these data breaches impact a huge number of people. For example, earlier today I wrote about a Capital One data breach that potentially impacts more than 100 million people.

While I’m not sure what exactly you’d call this, I received a very interesting call from Hyatt this afternoon. I rarely answer the phone unless it’s someone I know, but based on the caller ID it seemed like it was someone from Hyatt, and I was curious why they’d be calling.

There was a nice lady on the line who introduced herself as being from Hyatt’s “care and regulation team,” and she proceeded to tell me that some of my information had been compromised.

As she explained it:

  • My World of Hyatt data was shared with a small group of individuals
  • This was information that was part of an internal record used as internal communications with teams
  • Four individuals received my information, and they were asked to delete the emails and contents; they’re all apparently “loyal” World of Hyatt members as well
  • She apologized for this happening, and said that notifying me was one of the top priorities
  • Information shared included the confirmation number and name, World of Hyatt account number, date of booking, etc.
  • They will closely monitor my World of Hyatt account for any unusual activity

Based on some follow up questions, I was told that:

  • This breach happened on July 10, and I was only contacted now because Hyatt’s corporate office was doing an investigation
  • Only 15 people total have been impacted by this, and they all involve people staying at Hyatt Place properties
  • The information for several of my reservations was shared, all for stays at the same hotel

She asked if I wanted a new World of Hyatt account number, or if I wanted any reservations rebooked with new confirmation numbers. I declined, since I figured in the scheme of data breaches, this one wasn’t a big deal. Like I said, she was very professional, and also gave me her name and phone number to call back if I have any questions.

While I’m not worried about this at all, I still find this whole thing sort of… weird? I don’t exactly understand what happened.

I could see a situation where a bunch of emails accidentally ended up going to the wrong people, but somehow four people got my information, and this only impacted 15 people? For a loyalty program with millions of members?

So more than being worried I’m just fascinated by what really happened here…

Are any of the other 15 people impacted OMAAT readers? Did any of you receive my confirmation email in error? 😉

  1. Based on your description, your account wasn’t compromised. Your account data was disclosed by Hyatt. Quite a difference.

  2. @Lucky – Never accept as true information being given to you by someone who calls you out of the blue on the phone. You didn’t say this, but did they ask you to verify any personal, credit card, or WOH information? I highly recommend that you call the main number on your WOH card. Tell them that you received this call, and request to speak with someone in security. They will either confirm the information that you were given, or you will find out that this call was a pretext to gather information from you and use it.

  3. Internal hotel communication was accidentally forwarded to the wrong people? Or they pulled the wrong account information requested by folks?

    Odd but I could see the wrong emails going out to folks. I’ve accidentally been sent internal Marriott records with my folio request for example (e.g. the internal reimbursement request they send to Marriott for award reservations).

  4. If not phishing, as InfoPro suggested, I’d guess it was internal Hyatt people looking up account information on a few (internet) notable people just because they could/were curious.

    Typically companies have controls to prevent that, sometimes they don’t.

  5. Assuming it’s not phishing, I wouldn’t be surprised if companies like Hyatt do what they can to try and make sure travel bloggers get special treatment and or have a flawless stay. You say they mentioned you might be staying at a hyatt place soon – if that is correct, it’s not that hard to believe that someone tried tipping off someone else at the property, and (maybe)? sent over full reservation details rather then just a room/date/name.

    All speculation of course. But if the only people affected are travel bloggers (as I see a post from Kathy above)….

  6. My guess is that four customer email addresses were inadvertently added to an internal email distribution list. They likely didn’t realize it for a while since they just select the distribution list when sending the message. After some time had passed, someone probably went to add or remove a member from the distribution list and they realized non-corporate addresses had been added. Either that or one of the four people reached out to Hyatt asking why they kept getting confirmation emails for other people.

  7. Bloggers get VIP treatment.
    Now @Lucky doesn’t want that. I suggest you book under alias then add the account at check-in.

  8. Agree with InfoPro and several others, I wouldn’t have pick up the call. Spammers can mimic legitimate caller ID. If Hyatt VIP customer service really wanted to talk to you, they would have left a voicemail and emailed from a verifiable address.

  9. I also got a similar call and I’m not a blogger. Globalist member with 100 nights this year. I figure it’s not a big deal. Like others mentioned, most likely 4 people just were accidentally cc’d on the email.

    Probably just a head’s up email to the hotel that a top Globalist was coming to their property and be extra careful all goes ok.

  10. “Typically these data breaches impact a huge number of people.”
    That is the plainly wrong assumption. The ones you hear about are obviously the ones where millions of people are impacted, but how often do ou think someone gets to see something etc. regarding private information, reservation details?

  11. I’m sure the email said – “these people are important – make sure the stay is flawless.” Obviously, WOH (and every other brand you stay at/fly) is doing this for every interaction you have with them.

  12. These Data breaches and hcsks compromising people’ private datas& payment cards always or usually happen in the US & for American companies a(Yahoo,LinkedIn,Target,Capital One etc)nd never or very seldom happen in Germany,France, Spain.
    Why are the US companies more vulnerable to cyber attacks than the rest of the world?

  13. Are you sure the call was from WOH? I bet I could get your WOH # and all that with a bunch of calls – HUCA until you get a gullible rep., then pull all sorts of info from them. Scammy, but probably possible.

  14. Your account has been compromised, please let me have all your bank details and I can arrange a stack of cash into your account………honest 🙂

  15. I’m too paranoid.

    As other said, if they call to ask you to confirm information, it would be better to ask them to log the call into their system, so you can call their main line, and then have them confirm that way to check if the call is legit. I had a call once where someone called claiming to be comcast support, saying there was a problem with my connection, even though there wasn’t, that they need to confirm some info. I told them to open a support ticket and that I would call back. I called comcast through their main support line, and there was no ticket.

    If I’m more paranoid, just asking if you are Ben, might be enough to confirm that the info you got on you tied to your phone number is actually yours…

  16. Translation – A hotel knows who you are and put a big poster on the wall for employees saying watch out for this guest lol.

  17. Another potential explanation could be a developer working with a copy of a production database (bad practice, but happens a lot). They could have been testing a buggy new feature and forgot to replace real email addresses with fake ones. There’s no excuse for it, but it’s still prevalent in the software development industry.

  18. Weird but I was probably one of the people that got your details. I randomly received folios from various hyatts that were not for my stays. I deleted them promptly but posted the issues on flyertalk.

  19. Given that another blogger here reported receiving the same call, this was likely just a screwup on Hyatt’s part. Changing your WofH acct number, etc. will be a PITA, especially when you have pending upcoming reservations. HOWEVER, given that data now “hangs around forever” as compared to 10-20-30 years ago, after you’ve used your upcoming reservations and the “live traffic” on your WofH number drops to zero, you should CHANGE IT for a new one.

  20. I would not be concerned with someone messing with my Hyatt account because it’s had no activity in many years by design. I went from years of Diamond to zero and no one at Hyatt ever reached out or sent a reactivation (we miss you) offer. So much for anti-attrition.

    Now, Marriott would be very different story!!

  21. Sounds like a very involved phishing scam to me unless you somehow verified they were actually a real Hyatt employee.

  22. Compromised or not, I would asked Hyatt to makes things right for their negligence… Globalist for life, nothing less.

  23. Ah, that innocuous word ‘shared’ ! A favorite of PR types, which has filtered into everyday American-talk.
    In the context of Lucky’s call, ( ‘reaching out’ ?) when does this innocent-sounding sharing become a hack?

Leave a Reply

Your email address will not be published. Required fields are marked *