Another day, another big credit card data breach at a hotel. The latest victim: Hyatt, which has acknowledged a breach that involved some 250 hotels in 50 countries. If you paid for anything at a Hyatt between August 13, 2015 and December 8, 2015, doublecheck your credit card statements. That’s especially true if you ate in a restaurant, where Hyatt indicated most impacted accounts were used. But it added this worrisome qualifier: “A small percentage of the at-risk cards were used at spas, golf shops, parking and a limited number of front desks, or provided to a sales office during this time period.”
That means if you used plastic to pay for anything at Hyatt, be worried.
Hyatt joins a lengthening line of hotel operators that have suffered big breaches. Victims are known to include Wyndham, Mandarin Oriental, Hard Rock, Trump, management company White Lodging (many Marriotts were involved), Destination, and Hilton.
Hotel guests have to question the wisdom of using plastic at any hotel - but of course not using plastic is not necessarily easy. Most require a credit card on check in. Can a guest do anything to protect himself?
First, it's important to understand why are so many hotels falling victim to criminal hacks.
Attorney and identity theft expert Steven Weisman, who teaches at Bentley University in Waltham, Mass., offered this insight: “Hotel chains have become the low hanging fruit for many large scale hackings which will continue to occur as the hotel computers are easy to access through standard phishing and spear phishing techniques to plant the malware necessary to steal credit and debit card information.”
What that means is that self protection is our responsibility. Hotel guests cannot rely on hoteliers to protect their credit card info - so what can you do to protect yourself?
“Use cash,” said Paul Robinson, a cybersecurity solutions advisor with GreyCastle Security in Troy, N.Y. “Hackers haven’t figured out a way to hack cash yet.” Robinson acknowledged that at most hotels, a credit card is part of check in, so his advice is meant for purchases in restaurants, gift shops and the salon.
Christopher Budd, a security expert with Trend Micro, agreed. “Don’t use credit cards at gift shops," he said. "That’s easily the best thing you can do.” Probably put the hotel bar on the "no credit card list," too. If you can’t expense the transaction, just pay with cash at a hotel, it’s more secure.
Candidly, that advice is good. But most of us want to continue to use credit cards. How can we do that and stay safe?
“Set up and enable text messaging of all transactions,” advised self described hardcore business traveler Joe Palko, who works for a web design company. That is especially good advice if you have recently stayed at a hotel in a group that has recently been victimized - such as Hyatt or Trump. Eyeballing the purchases in close to real time will let you cut off any fraud before it is likely to cause real damage to your credit.
Note: crucial advice in an age of breaches is use a credit card and your protections against fraud are strong and broad. Probably you will suffer no losses, whatsoever. Debit cards, while protected against fraud under federal law, have notably looser safeguards - and even in the best case, there typically is a time lag before money that had been withdrawn from your account is restored. That means a criminal could wipe out your checking balance and it might be days - possibly longer - for all to be set right. That is why multiple experts now loudly advise: do not use a debit card at a hotel or any of its operations (definitely not the restaurant, bar, gift shop or spa).
Looking ahead, however - and probably speaking for many consumers - Chris Bucolo, a security expert at Sikich, a professional services company, said he's not going to travel in fear. “Personally I am not changing my practices because of what has happened at hotels," he said. "I check my statements, I know and track my account activity. I am not going to worry about this. I will continue to use credit cards at hotels."
Do likewise, and very probably that will be enough to stay safe even in an age of epidemic hotel data breaches.