Payment card data-targeting malware has hit hundreds of InterContinental Hotels Group (IHG) properties.
The UK-based company confirmed franchisee-operated hotels in the USA and Puerto Rico were made aware by payment card networks of patterns of unauthorised charges on payment cards after they were used at their locations. No UK hotels are known to have been affected.
An investigation by a cyber security firm identified signs of malware designed to access payment card data from cards used onsite at the front desk of a number of of IHG-branded franchise hotels, including Holiday Inn and Crowne Plaza properties, between September 29 2016 and December 29 2016.
The malware searched for track data (which sometimes has the cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the affected hotel server. There is no indication other guest information was affected.
Before the incident, some IHG-branded franchise hotels had implemented IHG’s Secure Payment Solution (SPS) and were not affected, and more have since implemented SPS, ending the ability of the malware to find payment card data.
A list of affected franchise locations and respective time frames is available here. IHG has also established a dedicated call centre for guests affected.
A statement from IHG read: “On behalf of franchisees, IHG has been working closely with the payment card networks as well as with the cyber security firm to confirm that the malware has been eradicated and evaluate ways for franchisees to enhance security measures. Law enforcement has also been notified.”
Videos from The Caterer archives