Data breach at over 1,200 IHG properties compromises guest credit card info
After initially reporting that only a dozen of its hotel properties had been infected with a malware that compromised guests’ credit card information, InterContinental Hotels Group has now expanded that list to include more than 1,200 affected properties across the United States and in Puerto Rico.
IHG, whose brands include Holiday Inn, InterContinental Hotels, Kimpton Hotels, and the Crowne Plaza, reports that a malware accessed guests’ credit card payment data from cards used at front desks of the affected properties between September 29, 2016 and December 29, 2016. To see a full list of the affected properties, click here.
According to USA Today, while the security breach is currently only isolated to U.S. hotels and one property in Puerto Rico, IHG is investigating whether or not additional properties throughout the Americas were affected and will continue to update the list as new cases are found. Currently, Holiday Inn, Crown Plaza, Hotel Indigo, Candlewood Suites, and Staybridge Suites are the only IHG brands affected by the malware.
The security breach was initially reported by Krebs Security on December 18, 2016. IHG says it discovered the issue after some of its properties “were made aware by payment card networks of unauthorized charges occurring on payment cards after they were legitimately used at their locations.” Specifically, IHG reports, customers’ credit card “track data” was compromised, which can include the cardholder name, card number, expiration date, and internal verification code. They added that “there is no indication that other guest information was affected.”
In their statement, IHG encourages its customers to review their credit card statements for any unauthorized transactions and says that they are working with a cyber security firm to confirm “that the malware has been eradicated and [to] evaluate ways for franchisees to enhance security measures.” They also report that law enforcement has been notified of the security breach.