1,175 hotels listed in payment card breach of Holiday Inn parent company

1,175 InterContinental Hotels Group hotels suffered a payment card breach; the investigation is not complete, but so far 1,174 franchise hotels in the US are known to have had malware accessing payment data from cards used at the front desks.

Hacked, unlocked, unsafe.
Thinkstock

You may recall commercials for Holiday Inn Express that revolved around a “Stay smart” theme, but if you stayed in Holiday Inn Express, or other InterContinental Hotels Group-branded franchise hotel late last year, then you would be really smart if you keep an eye out for unexpected charges on your credit card.

IHG finally reported the findings from an investigation into a breach of the company’s payment systems. The company has over 5,000 hotels across 100 counties, with brands such as Holiday Inn, Holiday Inn Resort, Holiday Inn Express, Crowne Plaza, Hotel Indigo, InterContinental, Kimpton, Staybridge Suites and Candlewood Suites. Hackers managed to get malware into the front desk payment system at some IHG-branded franchise hotels in the United States and Puerto Rico and made off with payment card data.

The breach, which security journalist Brian Krebs reported was being investigated in December, occurred between September and December last year. IHG has now reported:

The investigation identified signs of the operation of malware designed to access payment card data from cards used onsite at front desks for certain IHG-branded franchise hotel locations between September 29, 2016 and December 29, 2016. Although there is no evidence of unauthorized access to payment card data after December 29, 2016, confirmation that the malware was eradicated did not occur until the properties were investigated in February and March 2017.

The company doesn’t go into any great detail about how the front desk payment systems were infected with malware or about the type of malware. Instead, IHG said:

The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the affected hotel server. There is no indication that other guest information was affected.

IHG doesn’t give a number of how many hotels were involved in the card breach. Instead, it has a ridiculous system to see what IHG franchise locations were affected as well as the respective time frames. For example, after selecting United States, then you must select a state and then a city to find a hotel brand and time frame of the breach.

Currently, there are 1,175 hotels listed in the breach; the 1,174 breached in the US include:

2 in Alaska, 27 in Alabama, 23 in Arkansas, 15 in Arizona, 64 in California, 20 in Colorado, 10 in Connecticut, 2 in Washington DC, 3 in Delaware, 61 in Florida, 38 in Georgia, 12 in Iowa, 4 in Idaho, 39 in Illinois, 53 in Indiana, 19 in Kansas, 21 in Kentucky, 21 in Louisiana, 17 in Massachusetts, 14 in Maryland, 1 in Maine, 42 in Michigan, 22 in Minnesota, 25 in Missouri, 32 in Mississippi, 5 in Montana, 49 in North Carolina, 8 in North Dakota, 17 in Nebraska, 3 in New Hampshire, 19 in New Jersey, 14 in New Mexico, 2 in Nevada, 45 in New York, 50 in Ohio, 23 in Oklahoma, 10 in Oregon, 46 in Pennsylvania, 1 in Rhode Island, 19 in South Carolina, 7 in South Dakota, 30 in Tennessee, 163 in Texas, 10 in Utah, 28 in Virginia, 2 in Vermont, 10 in Washington, 13 in Wisconsin, 7 in West Virginia, and 6 in Wyoming.

Furthermore, IHG noted that not all of its franchise properties participated in the investigation. The company reported that it is not completely done with the investigation either, so the look-up tool will be updated from time to time. Guests who might also be victims are told to come back and check the site periodically.

IHG has notified law enforcement and noted that IHG-branded franchise hotel locations which had implemented IHG’s Secure Payment Solution (SPS), a point-to-point encryption payment acceptance solution, before the breach were not affected. Many more properties implemented SPS after the breach started, which ended the abilities for bad guys to pilfer card data.

Victims will not be responsible for fraudulent charges, as long as you notify the company “in a timely manner” of unauthorized charges. Considering the breach started back in September 2016 for some of the hotels, and partial notification is coming in April 2017, the stolen card data has most likely been used by now. Nevertheless, keep an eye out on your debit and credit card statements for any bogus charges if you stayed in an IHG-branded franchise hotel late last year. It was a pattern of unauthorized charges occurring on credit cards after being used at the hotels which first prompted the investigation, IHG claims.

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon