Late last year, InterContinental Hotel Group revealed it was investigating a widespread credit card breach across some 5,000 hotels worldwide but in February, IHG acknowledged a breach but said it appeared to involve only a dozen properties. Now, IHG has released data showing that cash registers at more than 1,000 of its properties were compromised with malicious software designed to siphon customer debit and credit card data.
According to a statement released by IHG, the investigation “identified signs of the operation of malware designed to access payment card data from cards used onsite at front desks at certain IHG-branded franchise hotel locations between September 29, 2016 and December 29, 2016.”
"On behalf of franchisees and in co-operation with the payment card networks and acquiring banks, IHG is coordinating the investigation that is now under way," an IHG spokeswoman told the BBC. "Individuals should closely monitor their payment card account statements. If there are unauthorized charges, individuals should immediately notify their bank. Payment card network rules generally state that cardholders are not responsible for such charges."
A statement released on the hotel's website says that the malware, which infected the hotels' card payment systems, was identified between Sep. 29 and Dec. 29, 2016. The statement adds that “there is no evidence of unauthorized access to payment card data” after Dec. 29, it still took until March 2017 to ensure that the malware had been completely expunged from the systems.
The statement said that other properties with an encryption-based security measure were not affected. However, cyber security expert Brian Krebs stated that not many of IHG's hotels adopted this security measure.
"IHG has been offering its franchised properties a free examination by an outside computer forensic team," Brian Krebs said. "But not all property owners have been anxious to take the company up on that offer. As a consequence, there may be more breached hotel locations yet to be added to the state look-up tool."
IHG didn’t say how many properties total were affected, although it has published a state-by-state lookup tool available here.
There have been a huge string of acknowledged breaches in the past two years: Kimpton Hotels, HEI Hotels and Resorts, Millennium Hotels & Resorts North America, the Hard Rock Hotel & Casino in Las Vegas (twice), Trump Hotels (twice), Golden Nugget hotels, Mandarin Oriental, Omni Hotels, and White Lodging all have been victims of data breaches.
In addition to data-breach insurance, there are other steps hotels can take to minimize risk. These include understanding the risk of a data breach, having a strict online policy bolstered by strong employee training, updating machines and technology, and being prepared in case you are targeted.