Industry News

Been to one of these 1170 IHG hotels? Your credit card details may have been stolen by malware

When a company starts a statement to customers with words describing how it “understands the important of protecting payment card data” you know that you’re about to hear some bad news…

That’s precisely what InterContinental Hotels Group (IHG) has been forced to share with guests who stayed at a number of IHG-franchise hotel locations between September 29 and December 29 2016.

IHG didn’t reveal just how many hotel properties were considered to be at risk, but my examination of the state-by-state lookup tool they published online reveals it to be higher than 1170.

In a statement issued by IHG, which oversees 12 hotel brands including InterContinental Hotels & Resorts, Holiday Inn, Crowne Plaza, Kimpton, and Staybridge Suites, the company explained that malware stole guests’ payment card details as they paid for their accommodation at the front desk of hotels across America and Puerto Rico:

“Although there is no evidence of unauthorized access to payment card data after December 29 2016, confirmation that the malware was eradicated did not occur until the properties were investigated in February and March 2017. Before this incident began, many IHG-branded franchise hotel locations had implemented IHG’s Secure Payment Solution (SPS), a point-to-point encryption payment acceptance solution. Properties that had implemented SPS before September 29, 2016 were not affected. Many more properties implemented SPS after September 29, 2016, and the implementation of SPS ended the ability of the malware to find payment card data and, therefore, cards used at these locations after SPS implementation were not affected.”

“The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the affected hotel server. There is no indication that other guest information was affected.”

As IHG explains in its statement, it began its investigation back in February. Back then the company admitted a data breach had occurred – but believed that it had only impacted the payment card systems at 12 IHG-managed properties.

Now it is clear that over 1170 hotels are impacted, meaning the potential pool of victims is much much larger.

IHG says that, on behalf of affected franchise hotels, it has been working closely with payment card networks, and has informed law enforcement agencies about the security breach.

It should go without saying that anyone who believes they may be at risk should keep a close eye on their payment card statements for unusual transactions.

In recent years many hotel chains – including Hyatt, Omni, Hilton Hotels, Starwood Hotels, and Trump Hotels – have found themselves targeted by criminals using malware to steal payment card information.

The problem has become so serious that you might start to wonder whether it might be safer to pay on hotel properties with cash, or at least with a card which has a low payment limit.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

1 Comment

Click here to post a comment

  • Well, the card issuer and vendor assume virtually all the risk of fraud, in the US at least. So these issues aren't all that concerning for consumers, although getting cards replaced repeatedly can be a big hassle.