In December 2016, KrebsOnSecurity broke the news that fraud teams at a number of banks were seeing a pattern suggesting a widespread, malware based, payment card breach across some 5,000 hotels worldwide owned by InterContinental Hotels Group (IHG).
In February, IHG acknowledged a breach but said it appeared to involve only a dozen properties. Now, IHG has released data showing that cash registers at more than 1,000 of its properties were compromised with malicious software designed to siphon customer debit and credit card data – according to Krebs Online.
According to a statement released by IHG, the investigation “identified signs of the operation of malware designed to access payment card data from cards used onsite at front desks at certain IHG-branded franchise hotel locations between September 29, 2016 and December 29, 2016.”
IHG didn’t say how many properties in total were affected, although it has published a state-by-state lookup tool available here.
IHG has been offering its franchised properties a free examination by an outside computer forensic team hired to look for signs of the same malware infestation known to have hit other properties. But not all property owners have been anxious to take the company up on that offer. As a consequence, there may be more breached hotel locations yet to be added to the state lookup tool.
IHG franchises who accepted the security inspections were told they would receive a consolidated report sharing information specific to the property, and that “your acquiring bank and/or processor may contact you regarding this investigation.”
IHG also has been trying to steer franchised properties toward adopting its “secure payment solution” (SPS) that ensures cardholder data remains encrypted at all times and at every “hop” across the electronic transaction. According to IHG, properties that used its solution prior to the initial intrusion on Sept. 29, 2016 were not affected.
“Many more properties implemented SPS after September 29, 2016, and the implementation of SPS ended the ability of the malware to find payment card data,” IHG wrote.
Card-stealing cyber thieves have broken into some of the largest hotel chains over the past few years. Hotel brands that have acknowledged card breaches over the last year after prompting by KrebsOnSecurity include Kimpton Hotels, Trump Hotels (twice), Hilton, Mandarin Oriental, and White Lodging (twice). Card breaches also have hit hospitality chains Starwood Hotels and Hyatt.
In many of those incidents, thieves planted malicious software on the point-of-sale devices at restaurants and bars inside of the hotel chains. Point-of-sale based malware has driven most of the credit card breaches over the past two years, including intrusions at Target and Home Depot, as well as breaches at a slew of point-of-sale vendors.
The malicious code usually is installed via hacked remote administration tools. Once the attackers have their malware loaded onto the point-of-sale devices, they can remotely capture data from each card swiped at that cash register.