Hyatt Hotels will begin collaboration with external experts to avoid incidents that may affect its customers’ personal data
Network security and ethical hacking
specialists from the International Institute of Cyber Security reported that Hyatt Hotels has announced the
implementation of its own vulnerability bounty program, after suffering a
payment card information theft incident.
The company reported in recent days that this
initiative will be carried out in collaboration with the bounty program
platform HackerOne,
as well as adding that it will be designed to make Hyatt Hotels “take advantage
of the broad experience of the cybersecurity community to identify and address
potential vulnerabilities before they affect clients”.
“At Hyatt, protecting all of our customers’
data is one of our priorities, so launching this bounty program means a huge
step to keeping our guests information always safe”, stated Benjamin Vaughn ,
IT manager at the hotel chain.
Experts in network security, ethical hacking, etc., will be able to use the HackerOne platform to
report vulnerabilities, security bugs, server leaks and any other similar
incidents before malicious hackers enter the scene, preventing any data theft
or any other cyberattack.
This program will be public and researchers
will be able to work to report vulnerabilities in multiple domains owned by the
hotel group, such as yyatt.com, m.hyatt.com, world.hyatt.com, as well as their
mobile applications for iOS and Android operating systems.
This program will consider for rewards the
reports of authentication omission vulnerabilities, SQL injections, fake
queries sending, cross-site scripting, among others. Regarding the evaluation
of the reports, the company has opted for the use of the Common Vulnerability
Scoring Standard (CVSS) to determine the severity of the reported
vulnerabilities.
According to network security experts, reports
of vulnerabilities considered critical will receive a payment of up to $4k USD.
Errors considered medium severity could receive up to $1.2k USD, while the most
common flaw reports will receive between $300 and $600 USD.
In recent years, hotel chains and other similar
businesses have become one of the cybercriminals’ favorite targets due to the
large amount of sensitive information these businesses process and store every
day. Companies such as Radisson Hotel Group, Marriott, and Hyatt Hotels itself
are some of the most relevant cyberattack victims.
In 2015, 250 properties managed by Hyatt in countries
like the United States, United Kingdom, China, Germany, Japan, Italy, France,
Russia and Canada were the subject of a cyberattack. In the incident,
information theft malware was injected into the company’s systems to extract information
from their customers’ payment cards.
