As Marriott hotels continues sizing up its mega data breach, Hyatt Hotels is kicking off a bug bounty to find flaws in its websites and apps before hackers do.
Hyatt’s public bug bounty, announced today, invites all ethical hackers to probe its websites and mobile apps for security flaws. It will offer cash rewards of up to $4,000 to hackers who report bugs through its program with bug bounty platform HackerOne.
Hyatt Hotels boasts its bug bounty is a first in the hotel industry, which has been a soft target for hackers who’ve accessed hundreds of millions of guests’ personal and payment card data over the past few years. Hilton Worldwide, Mandarin Oriental and Marriott Hotel’s Starwood Hotels & Resorts Worldwide have all suffered breaches in recent years.
“At Hyatt, protecting guest and customer information is our top priority and launching this program represents an important step that furthers our goal of keeping our guests safe every day,” said Hyatt chief information security officer Benjamin Vaughn.
“As one of the first global hospitality brands to launch this type of program, we extend the ways we care for our guests and deepen our commitment to protecting their sensitive information.”
White hat or ethical hackers can earn rewards if they report security flaws on Hyatt.com, m.hyatt.com, world.hyatt.com, and Hyatt's iOS and Android mobile app. Rewards range from $4,000 for critical flaws to $300 for low severity issues.
Valid vulnerabilities range from SQL injection web app flaws to finding Hyatt data on public cloud storage services and front-end system flaws that give access to backend systems.
Hyatt revealed in 2016 that hackers had compromised payment card data at 250 locations in 50 countries after its payment processing systems were infected with malware. A year later had compromised payment card data at 41 of its properties in 11 countries.
Marriott Hotels this week said that hackers had compromised 383 million records after discovering in September that hackers had accessed Starwood's reservation database. It initially believed the incident affected 500 million records. Still, the hackers gained access to 5.25 million unencrypted passport numbers and 8.6 million encrypted payment cards.