Security News IHG Confirms Second Credit Card Breach Impacting 1,000-Plus Hotels

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
In what’s becoming a familiar refrain to guests, InterContinental Hotels Group, said late last week that payment card systems at more than 1,000 of its hotels had been breached.

It’s the second breach that IHG, a multinational hotel conglomerate that counts Holiday Inn and Crowne Plaza among its chains, has disclosed this year. The company acknowledged in February that a credit card breach affected 12 of its hotels and restaurants.

In a notice published to its site on Friday the company said a second breach occurred at select hotels between Sept. 29 and Dec. 29 last year. IHG says there’s no evidence payment card data was accessed after that point but can’t confirm the malware was eradicated until two to three months later, in February/March 2017, when it began its investigation around the breach.

Like most forms of payment card malware these days, IHG said the variant on their system siphoned track data – customers’ card number, expiration date, and internal verification code – from the magnetic strip of cards as they were routed through affected hotel servers.

The hotelier said the first breach also stemmed from malware found on servers used to process credit cards, but from August to December 2016. That breach affected hotels, along with bars and restaurants at hotels, such as Michael Jordan’s Steak House and Bar at InterContinental Chicago and the Copper Lounge at Intercontinental Los Angeles.

IHG didn’t state exactly how many properties were affected by the second breach but that customers can use a lookup tool the company has posted to its site to search for hotels in select states and cities. IHG gives a timeline for each property and says hotels listed on the tool “may have been affected.”

A cursory review of hotels in the lookup tool suggests far more than a dozen – more than a thousand – hotels, were affected by the malware.

IHG says that since the investigation is ongoing the tool may may be updated periodically. Some properties, for a reason not disclosed, elected to not participate in the investigation, IHG said.

While the company operates 5,000 hotels worldwide this most recent breach affects mostly U.S.-based chains. One hotel in Puerto Rico, a Holiday Inn Express in San Juan, is the only non-U.S. property that hit by malware this time around, IHG claims.

The company said it began implementing a point-to-point encryption payment solution – technology that can reportedly prevent malware from scouring systems for payment card data last fall. The hotels that were hit by this particular strain of malware had not yet implemented the encryption technology, IHG claims.

The news comes as an IHG subsidiary, boutique hotel chain Kimpton, is fighting a class action court case that alleges the company failed to take adequate and reasonable measures to protect guests payment card data.

The chain said it was investigating a rash of unauthorized charges on cards used at its locations last summer. It eventually confirmed a breach in late August that involved cards used from Feb. 16, 2016 and July 7, 2016 at nearly all of its restaurants and hotels.

Bloomberg reported Monday that Lee Walters, the plaintiff in the case against Kimpton, failed to plead all relevant factors. The judge overseeing the case, Judge Vince Chhabria of the U.S. District Court for the Northern District of California, dismissed California state fraud claims last week. Chhabria is allowing claims of implied contract, negligence, and California unfair business practices to continue however.
 

Amelith Nargothrond

Level 12
Verified
Top Poster
Well-known
Mar 22, 2017
587
Well that's strange...
Did they have their own payment system? If so, did that system used unencrypted communication? Really?

The company said it began implementing a point-to-point encryption payment solution
- do they refer to the classic POS terminal with an encrypted (GSM powered) internet p2p connection to the bank? Wow, technology...

Though POS terminals are hard to "hack", physical devices are required (card scanners) to be attached to them without being visible, cameras hidden in the area to record PIN numbers and someone to retrieve both devices and the data, for each and every terminal. Though nowadays they are using Bluetooth to transmit both scanned cards data and video files, they can't skip the "mounting & retrieving" part, and that's their point of failure most of the times.

Anyway, always cover with one hand the keyboard of any terminal while typing in the PIN number, and you'll be fine.
 

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
If you've stayed at a Holiday Inn you may have lost more than a good night's sleep (like maybe your bank card)

Very bad the below...
"IHG has set up a web page with a full list of affected hotels, and it's a very long list. The conglomerate isn't offering any kind of identity theft support, as is usual in such cases. Instead it's just telling customers to check their credit card statements.

That lack of customer support could turn around and bite IHG in the backside if the expected credit card fraud is widespread. The US is, after all, the land of the lawsuit, and lawyers are no doubt salivating at the chance to launch a class action suit against some of the best-known hotel brands in the country."
 
  • Like
Reactions: Amelith Nargothrond

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
Pathetic, with the technology nowadays like EMV Credit/Debit Card, then the payment system should follow the latest standard security procedure.

With the continuous income received everyday by a hotel chain, then payment transaction should already covered on that upgrade.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top