Purpose

To protect the security of Hyatt and our colleagues and to help prevent account takeover attempts and password reset fraud, Hyatt IT and Cyber Security are updating the Administrative Password Reset delivery policy and procedures.

These changes are being made to maintain the security and integrity of our systems and to protect the privacy of our users. As a result, ID verification will be required before delivering/communicating the administratively reset password to the colleague needing access. This policy is meant to ensure that passwords are delivered only to authorized individuals and to mitigate the risk of unauthorized access to sensitive information.

Please Note:

• The “Administrative Password Reset” form will not work for Privileged accounts (e.g., W, D, U, and A accounts). Privileged accounts are managed via CyberArk.
• For accounts with associated privileged accounts (i.e., any user with W, D, U, or A account), approval for password resets will go through the Network Operations Center.
• For security reasons, Passwords should NOT be delivered to colleagues (e.g., via email, phone call, SMS, etc.) without a prior visual validation.
• The Service Desk will no longer administratively reset passwords.
• The “Administrative Password Reset” form will not work for Franchise locations.
  Franchise colleagues may request an automated password reset via the Hyatt Service Desk phone number using the automated system. The password will be delivered to the requestor’s manager of record.

Procedure

How to request an Administrative Password Reset (Owned or Managed locations, Offices)

The colleague’s Manager, their IT Manager, or their HR Representative can submit a request via the “Administrative Password Reset” form in the Service Catalog in ServiceNow. The person submitting the request will receive an email containing the password for the colleague being reset.

Which methods can Franchise colleagues use for password resets?

If a colleague is already registered for MFA (Multi Factor Authentication) and SSPR (Self Service Password Reset), they should be able to reset their password themselves using SSPR at their associated property.

For more instructions, please consult How to Reset your Password using the Self-Service Password Reset (SSPR) Tool.

The franchise colleague’s Manager, their IT Manager, or their HR Representative can submit a request via the “Password Reset” form in the Service Catalog in ServiceNow.

• The form will require the selection of a peer manager who will receive the password via email.
• Before transmitting any password, the Visual Verification process must be followed. This includes transfers from manager to manager, and from manager to the colleague being reset.
• Colleagues themselves can call into the Hyatt Service Desk (844-473-8324) and select the Password Reset option within the automated options on the call.

• Once selected, the colleague’s password will be automatically reset and sent via email to their direct line manager.
• Before the manager transmits the password to the colleague, the Visual Verification process must be followed. This includes transfers from manager to manager, and from manager to the colleague being reset.

If the franchise colleague previously requested an automated password reset by calling into the Service Desk’s automated phone system, the password will automatically be delivered to their manager of record. Visual Verification steps should be used by the colleague’s manager before the password is delivered to the colleague.

Visual Verification Process before Delivering the Password

Online Verification for New Hires

• Provide the colleague with a Zoom link or an equivalent video conference service via the previously established method of communication (e.g., Email or SMS to the phone used to contact the colleague during the hiring process).
• Require the colleague to be on video for verification.
• Ask colleague to show a photo ID displaying full name and verify the name matches the one on file.

• The only information required to be displayed is the colleague’s name and photo.
  ALL OTHER INFORMATION CAN AND SHOULD BE BLOCKED FROM VIEW.

• Once the colleague’s identity has been verified, the password may be provided to them.

Online Verification for Established Colleagues

• Provide the colleague with a Zoom link or an equivalent video conference service via the previously established method of communication (e.g., Email or SMS to the phone the colleague used to request their account be reset).
• Require the colleague to be on video for verification.
• If the colleague is known by sight, verify visually their identity.
• If the colleague is not known by sight, ask colleague to show a photo ID displaying full name and verify the name matches the one on file. 

• The only information required to be displayed is the colleague’s name and photo.
  ALL OTHER INFORMATION CAN AND SHOULD BE BLOCKED FROM VIEW.

• Once the colleague’s identity has been verified, the password may be provided to them.

In-Person Verification

If the colleague is on premises, the password may be provided to the colleague directly.

Notes

If you identify that the colleague requiring the password does not wish to cooperate or does not match the information on file, please report the incident immediately to Cyber Security at cyber.security.operations@hyatt.com.

Support Contact Information

If you require further assistance or if you have any questions, please contact your IT Manager or the Global Hyatt Service Desk:

Global Hyatt Service Desk

North America: 1-844-HSD-TECH (844-473-8324)

Global: +1-312-690-6888

IT Support Portal: click here

Should you have any questions or concerns regarding this event, please open a ticket via the IT Support Portal or contact the Global Hyatt Service Desk at 844-HSD-TECH (844-473-8324) (North America) or +1 312-690-6888 globally.

HYATT IT NOTIFICATIONS

Global Technology Support

E: chico-noc@hyatt.com

150 North Riverside Plaza, Chicago, IL 60606