The vulnerability of credit card data has been brought to light again, with the Hyatt Corporation announcing late last week unauthorised access to payment card information.
The information relates to cards manually entered or swiped at the front desk of 41 properties in 11 countries between 18 March 2017 and 2 July 2017, with China being the most impacted. Australia is not amongst the countries affected.
The information accessed is cardholder name, card number, expiration date and internal verification code. Hyatt has put the breach down to the insertion of a malicious software code from a third party onto certain hotel IT systems.
In late 2015 Hyatt’s payment processing system was infected with malware that stole credit card information, affecting 250 hotels in 50 countries. It is not yet clear whether this earlier breach is related to the 2017 breaches.
The situation is similar to the case of Wyndham Hotels, which led to that hotel chain being prosecuted by the US Federal Trade Commission (FTC). We published an article on the FTC’s action against Wyndham Hotels in September 2015.
The FTC has statutory powers to protect consumers against corporations taking inadequate cybersecurity measures. In our article on the Wyndham Hotels case we took the view that the ACCC has analogous statutory powers under the Australian Consumer Law. The ACCC has raised its profile significantly in regard to cyber resilience issues.
Whilst the data breaches on this occasion did not occur in Australia, it seems to us that, much like the Wyndham Hotels case, a similar breach affecting Australian businesses may well see the ACCC taking formal action given its current posture. The stakes ramp up considerably as of February 2018, after which time any breach involving personal information will bring into play the mandatory data breach notification provisions of the Privacy Act 1988 (Cth) (Privacy Act).
Businesses subject to the Privacy Act should ensure that they are prepared to respond to any data breach occurring from February 2018, including notifying the OAIC and notifying affected individuals. Affected businesses should ensure that they have in place a response plan and clear governance structures and lines of reporting that will ensure all necessary action is taken within the timeframes specified by the Privacy Act.