Someone's Swiping Credit Cards from Hyatt, Research Reports from Forrester and a Disqus Breach


It's just another week in Threatwatch.

This week saw more bad news from Equifax. The company acknowledged a file with 15.2 million U.K. residents’ information was accessed, denied reports one of its websites had been hacked, and had a $7 million bridge contract with the IRS suspended. But hotels and research firms had their own problems. Here's what you missed in Threatwatch, Nextgov's regularly updated index of cyber events. 

Payment Data Breached at 41 Hyatt Hotel Properties

Hyatt Hotels Corp. on Thursday announced it discovered unauthorized access to guests’ payment information at 41 properties around the world.

The company said a third party inserted malware onto hotel IT systems and may have captured payment information of guests who paid between March 18 and July 2. The breach affected seven U.S. properties in Hawaii, Puerto Rico and Guam, but China was hit hardest with 18 locations.

“I want to assure you that there is no indication that information beyond that gained from payment cards—cardholder name, card number, expiration date and internal verification code—was involved, and as a result of implemented measures designed to prevent this from happening in the future, guests can feel confident using payment cards at Hyatt hotels worldwide,” Global President of Operations Chuck Floyd said in a statement,

Though the company said it estimates only a small percentage of payments cards used may be affected, it can’t identify each one so it encourages customers to review their statements for possible fraudulent activity.

In 2015, the company acknowledged a breach of its payment systems that impacted 250 hotels in 50 countries, according to Reuters.

17.5 Million Disqus Accounts Exposed

The commenting platform Disqus on Oct. 6 acknowledged a security breach that potentially affects 17.5 million users.

Disqus Co-founder Jason Yan in an alert said the data appears to come from July 2012 and earlier but includes Disqus usernames, email addresses, sign-up dates and last login dates in plain text. About one-third also include encrypted passwords.

Yan said the company is forcing a password reset for all affected users, though he said the company hasn’t seen evidence of unauthorized logins. Because the email addresses were in plain text, affected users may get spam or otherwise unwanted emails.

Have I Been Pwned? operator and independent security researcher Troy Hunt notified the company Oct. 5 of the potential breach. Disqus verified the data and began notifying users the next day prior to its public disclosure.

“Our team is still actively investigating this issue, but we wanted to share all relevant information as soon as possible. If more information surfaces we will update this post and share any updates directly to users,” Yan wrote.

Forrester Confirms Hackers Stole Research Reports from Website

Market research firm Forrester Research on Oct. 6 confirmed research reports available to its clients were stolen from

“There is no evidence that confidential client data, financial information, or confidential employee data was accessed or exposed as part of the incident,” according to a company statement.

An outside hacker used credentials to steal the reports but the company detected the attack and ultimately shut the hacker out of the system, Chief Business Technology Officer Steve Peltzman wrote in a company blog.

The company said it will review its security processes and systems and contacted law enforcement about the incident.

"We recognize that hackers will attack attractive targets—in this case, our research IP. We also understand there is a tradeoff between making it easy for our clients to access our research and security measures," said Forrester Chairman and CEO George Colony.