InterContinental Hotels Group (IHG) has reported last week that a huge number of their hotels in the US and Puerto Rico have been compromised with payment card information-slurping malware.
The list of the affected locations is still not complete, but the company has provided a tool that customers can use to check whether the property that they stayed at has been compromised, and during which period.
InterContinental Hotels Group is a British multinational hotels company that has over 5,000 hotels in over 100 countries around the world, under the Crowne Plaza, Holiday Inn, Holiday Inn Express, InterContinental, and other brands.
The great majority of these hotels is operated under franchise agreements.
InterContinental data breach details
“The investigation identified signs of the operation of malware designed to access payment card data from cards used onsite at front desks at certain IHG-branded franchise hotel locations between September 29, 2016 and December 29, 2016. Although there is no evidence of unauthorized access to payment card data after December 29, 2016, confirmation that the malware was eradicated did not occur until the properties were investigated in February and March 2017,” the company stated in the data breach notification published on Friday, just before the start of the Easter weekend.
“The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the affected hotel server. There is no indication that other guest information was affected.”
The company pointed out that those franchisee operated locations that have implemented its Secure Payment Solution (SPS) – a point-to-point encryption payment acceptance solution – before September 29, 2016 were not affected by the breach.
“Many more properties implemented SPS after September 29, 2016, and the implementation of SPS ended the ability of the malware to find payment card data and, therefore, cards used at these locations after SPS implementation were not affected,” they added.
As mentioned before, the investigation is still ongoing, and the look-up tool for affected properties will probably be updated with new affected locations.
But some of the IHG-branded franchise properties did not participate in the investigation, even though IHG hired a cyber security firm and offered its services free of charge to the franchisees, and so the compromise of their front-desk payment systems might never be publicly revealed.
Law enforcement agencies have been notified of the breach.
The company is advising customers to regularly check their payment card statements for any unauthorized activity, and to report any unauthorized charges to their card issuer, in order to be compensated for their loss.
Companies in the hospitality industry are often targeted by crooks that are after payment card information. Previous victims include the Hyatt Hotels Corporation, Hilton and Trump hotel chains, and Starwood Hotels & Resorts.