That appears to be a sharp rise in the count of breached hotels that IHG reported in a February alert, when it reported that POS devices in restaurants and bars at 12 of its locations had been infected with malware (see Intercontinental Hotels Confirms Breach).
But IHG says that those dozen locations referred only to hotels that it directly runs, and that it didn’t yet know the scope of the breach at its franchisees’ locations.
“The 12 properties we provided notification for previously were managed hotel locations,” IHG spokesman Neil E. Hirsch says. “Approximately 1,200 IHG-branded franchise hotel locations in the Americas were [also] affected.”
U.K.-based IHG operates more than 5,000 hotels in nearly 100 countries, including Crowne Plaza, Intercontinental, Kimpton and Holiday Inn properties.
Not all hotels bearing the IHG brand name are run directly by the company. “Many IHG-branded locations are independently owned and operated franchises, and certain of these franchisee operated locations in the Americas were made aware by payment card networks of patterns of unauthorized charges occurring on payment cards after they were legitimately used at their locations,” IHG says in an updated, April 14 data breach notification.
“We regret any inconvenience this may have caused,” it adds.
IHG first confirmed on Dec. 28, 2016, that it was investigating a suspected payment card breach at some U.S. properties, after security blogger Brian Krebs reported that some IHG properties – particularly Holiday Inn and Holiday Inn Express locations – appeared to be experiencing unusual levels of fraud.
On Feb. 3, IHG warned customers that 12 of its hotels may have been affected.
In its most recent update, however, IHG says that it has been coordinating a related breach response and investigation “on behalf of franchisees,” and that the malware appears to have infected hotel servers, before being eradicated in full across all locations by the end of March. The company says it’s also working with law enforcement agencies to help investigate the breach.
The malware intercepted payment card data, but nothing else appears to have been compromised, IHG says.
“The malware searched for track data – which sometimes has cardholder name in addition to card number, expiration date, and internal verification code – read from the magnetic stripe of a payment card as it was being routed through the affected hotel server,” it says. “There is no indication that other guest information was affected.”
IHG has declined to say which security firm it hired to investigate the breach, what type of malware infected its POS devices, whether or not it manages the payment infrastructure that its franchisees use, or how many payment cards may have been compromised.
IHG recommends that all of its customers review their payment card statements for signs of fraud and contact their card issuer directly if they see any suspicious activity. IHG has not offered free identity theft protection services to affected consumers.
For potential victims, however, it’s worth noting that users of credit cards are generally not liable for fraudulent charges if they report them in a timely manner. Legally speaking, debit card users have no such guarantees – that’s why many identity theft experts recommend never paying with a debit card – although many banks will cover such losses.
IHG has now published an updated list of affected locations, which span 49 states, plus Washington D.C., and Puerto Rico.
In its statement, IHG says that the malware infected systems at front desks, and that related infections persisted from Sept. 29, 2016, until Dec. 29, 2016. “Although there is no evidence of unauthorized access to payment card data after Dec. 29, 2016, confirmation that the malware was eradicated did not occur until the properties were investigated in February and March 2017,” it says.
Some IHG-branded properties were not affected, however, because they had chosen to implement stronger cybersecurity controls. “Before this incident began, many IHG-branded franchise hotel locations had implemented IHG’s Secure Payment Solution (SPS), a point-to-point encryption payment acceptance solution,” according to IHG’s statement. It notes that any property that implemented SPS prior to Sept. 29, 2016, was not affected by the breach.
“Many more properties implemented SPS after Sept. 29, 2016, and the implementation of SPS ended the ability of the malware to find payment card data and, therefore, cards used at these locations after SPS implementation were not affected,” it adds.