Intercontinental Hotels Group confirms second credit card breach
Malware skimmed customer data from systems
Intercontinental Hotels Group (IHG) has suffered a second breach of its payment card systems, the company admitted.
It said in a notification that the breach happened in some hotels between 29 September and 29 December 2016. It said it had hired a cyber security firm to investigate the breach, which "identified signs of the operation of malware designed to access payment card data from cards" used on site at front desks at certain hotels.
It added that there was no evidence of payment card data being accessed after 29 December, but cautioned that it couldn't confirm the eradication of the malware until investigations began in February and March of this year.
The hotel chain said the malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic strip of a payment card as it was being routed through the affected hotel server. "There is no indication that other guest information was affected," it said in a statement.
The hotel chain had suffered a breach earlier in the year. This breach not only affected its hotels but also bars and restaurants at hotels, such as the Knob Hill Club and Michael Jordan's Steak House and Bar at Intercontinental Chicago.
It also published a list of affected operations and times they were breached in a separate web page. The list features over a thousand hotels affected by the malware.
The chain has now deployed point-to-point encryption payment in a bid to prevent malware from searching systems for card data. The hotel affected by the breach had not previously implemented this security measure.
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.
In addition, a subsidiary of Intercontinental Hotels, Kimpton Hotels, is fighting a class action lawsuit over allegations that the chain failed to adequately protect guests' payment card data and other personal information.
Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.
-
ITPro is 20!We take a look back on the past two decades since ITPro launched...
-
Cyber experts issue alert after two ransomware groups team up on ‘unprecedented’ threat campaignNews The tie-up includes a new model of industrialized ransomware deployment that significantly lowers the barrier to entry for cyber crime