In February, Intercontinental Hotels Group alerted customers that some of its US locations had been infected with credit-card-stealing malware. Now it has admitted the cyber-outbreak is much worse than first thought.
IHG, which owns brands like Holiday Inn and Crown Plaza, has warned that around 1,200 of its hotels across the US and Puerto Rico have been hit by the same sales terminal malware – which grabs card data from the computers’ memory as payments are made. This information is then siphoned off to crooks to use online and create cloned cards. The infections were spotted on September 29, 2016 but the infections weren’t cleared up until March 2017, and some hotels might still have a problem.
“The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the affected hotel server,” IHG said today. “There is no indication that other guest information was affected.”
The hotelier said that many of its locations were unaffected because they had installed a security mechanism called Secure Payment Solution that blocked the spyware from reading off sensitive card data – however, many hotels hadn’t gotten the system up and running in time.
Since it is a franchise operation it’s up to the hotel owner to install the more secure system, and there are worries that not all of them have the system installed even now.
IHG has set up a web page with a full list of affected hotels, and it’s a very long list. The conglomerate isn’t offering any kind of identity theft support, as is usual in such cases. Instead it’s just telling customers to check their credit card statements.
That lack of customer support could turn around and bite IHG in the backside if the expected credit card fraud is widespread. The US is, after all, the land of the lawsuit, and lawyers are no doubt salivating at the chance to launch a class action suit against some of the best-known hotel brands in the country.
Source: The Register