06
Feb 17

InterContinental Confirms Breach at 12 Hotels

InterContinental Hotels Group (IHG), the parent company for thousands of hotels worldwide including Holiday Inn, acknowledged Friday that a credit card breach impacted at least a dozen properties. News of the breach was first reported by KrebsOnSecurity more than a month ago.

Top of the Mark, San Francisco, one of the bars impacted by the IHG card breach.

Top of the Mark, San Francisco, one of the bars impacted by the IHG card breach.

In a statement issued late Friday, IHG said it found malicious software installed on point of sale servers at restaurants and bars of 12 IHG-managed properties between August and December 2016. The stolen data included information stored on the magnetic stripe on the backs of customer credit and debit cards — the cardholder name, card number, expiration date, and internal verification code.

A list of the known breached locations is here. IHG said cards used at the front desk of these properties were not affected.

According to IHG, we may not yet know the full scope of this breach: The company advised that its investigation into other properties in the Americas region is ongoing.

Card-stealing cyber thieves have broken into some of the largest hotel chains over the past few years. Hotel brands that have acknowledged card breaches over the last year after prompting by KrebsOnSecurity include Kimpton HotelsTrump Hotels (twice), Hilton, Mandarin Oriental, and White Lodging (twice). Card breaches also have hit hospitality chains Starwood Hotels and Hyatt.

In many of those incidents, thieves planted malicious software on the point-of-sale devices at restaurants and bars inside of the hotel chains. Point-of-sale based malware has driven most of the credit card breaches over the past two years, including intrusions at Target and Home Depot, as well as breaches at a slew of point-of-sale vendors. The malware usually is installed via hacked remote administration tools. Once the attackers have their malware loaded onto the point-of-sale devices, they can remotely capture data from each card swiped at that cash register.

Thieves can then sell that data to crooks who specialize in encoding the stolen data onto any card with a magnetic stripe, and using the cards to purchase high-priced electronics and gift cards from big-box stores like Target and Best Buy.

Readers should remember that they’re not liable for fraudulent charges on their credit or debit cards, but they still have to report the unauthorized transactions. There is no substitute for keeping a close eye on your card statements. Also, consider using credit cards instead of debit cards; having your checking account emptied of cash while your bank sorts out the situation can be a hassle and lead to secondary problems (bounced checks, for instance).

Tags: , , , ,

25 comments

  1. What strain of malware was used and how can other companies check for it?

    • IHG (I Have Gas)

      A Highly Sophisticated malware strain was used. Other Companies need to be protecting themselves from any kind of attacks, not just this one. IOCs from one breach may not be valid for other attacks, specially once it has been found and has been known for over a month. Make sure you are protecting, logging and monitoring rather than focusing on one malware strain!

  2. IRS iTunes Card (real)

    The breach’s just continue on…..

  3. They can stole your data, than your money, but no chargeback for that. Am I right?

  4. You would think that the hotel where these breaches are occurring would be very concerned about THEIR reputation. After all, you stay at the hotel and spend money in the restaurants, etc. If my account had been hacked at one of these hotels, you can bet I would never stay there again. Remember, a happy guest tells 10 friends, while a dissatisfied one tells the world. There are many many methods to spread the bad word.

    I realize that the shops and other establishments at a hotel property are private companies and separate from the hotel operations, but doesn’t the hotel have some sort of responsibility to the public? Sort of “Clean up your act, or get out” type responsibility?

    • Clearly it’s in the best interests of hotels to protect their customers from cybercriminals. It is for any business.

      The problem is that when committing fraud becomes more difficult at some companies, the fraudsters will rotate toward more vulnerable targets.

      In this case, a lot of banks and online retailers have hardened their defenses, so the fraudsters will take the hard won tactics they’ve perfected there to attack other arguably less-sophisticated organizations – in this case hotels.

      There’s a ton going on for travel companies these days. Mobile apps are plenty and competition is tough. Hotels want easy interactions with customers, and customers want carefree transactions. Fraudsters see opportunity here and EMV technology is also moving cybercrime online.

      I’m not defending the lax security measures by any means, but many of these crime rings are well organized professional operations. It’s very challenging for any company to go it alone. Hotels can’t just take security for granted or expect their technology vendors to protect them. They’ll need to embrace the security challenges or 2017 may be a very difficult year indeed.

  5. Why is Trump hotel ALWAYS getting hacked, is anyone monitoring these hotels to see if once they are hacked they are taking the proper action to secure their systems?

  6. Most of the cyber defense that is considered “state of the art” is broken. Hotels like this one spent millions of dollars on perimeter based defense such as intrusion detection, 2nd gen firewalls and 2nd gen endpoint solutions. Unfortunately, that strategy doesn’t work. Many attacks are stopped but all it takes is one to get through to the internal networks. They will get in.

    So, how will you know if there is an attacker in your network? how will you understand their intentions? How will you stop the attack and return to normal operations?

    The leading edge of this is technology such as moving target defense (MTD) and deception technology. These technologies are complementary – they help obfuscate and camouflage your real IT resources. IN the case of deception they engage and then trap the intruders. Automation can isolate and then shut down the attack.

    Intercontinental is a relatively innocent victim in an escalating wave of cyber crime sponsored by scum sucking criminals. It is not their fault. Almost 99.999% of the hotels out there would fall to the same attack vector. In fact, some have and just don’t know it yet!

  7. IMHO… the commercial sector is intentionally deciding to avoid building effective information security programs. By doing so, they are intentionally deciding to push any risk of compromise to their customers and business partners.
    The only historical analogies I can think of were the debates of manufacturers putting safety belts in cars in the 1950s-1970s and the implementation of safety gear and safety equipment in manufacturing workplaces in the 1950s through 1980s.
    What makes this more difficult: These breaches are bloodless in the eyes of most people. Unless someone is suffering physically, nobody seems to care.

  8. No surprise!
    my only guestion is this if illuminati is as fact
    behind the all cybercrime and fraud then why they
    put they own members in jail ? Are those cybercriminals
    are duped by illuminati ? is illuminati only use them as idiots?
    Those poor soviets and aftican igbos.
    can anyone answer this question here?

  9. I keep remembering an old story line from yonder. And looking for repeats. The story was infiltrating a bank program, by using a special card, and hunting down the numbers thru the wiring. A certain burst frequency. With computers, that would be investigating certain ports. Even the report Back, would have to carry the feedback. Even now, especially, when we use the data card, it could capture the response and the circuit information.
    Everyone knows the ones and zeros mean data, but do they realize, data can mean programs?

  10. What I find interesting with hotel breaches is that most of the time the breach is at the restaurant/bar and rarely at the front desk.

    When I am in a hotel, I usually just charge it to the room.

    • Smart observation. Whenever I’ve had my information stolen, I can usually trace when it occurred to when I handed my card to someone, who, when I contact the business after my bank contacts me, no longer works there…

    • Indeed. Sounds like a good argument for not dining in a hotel restaurant unless you are also staying at the hotel.

  11. To Society, Point-of-Sale (PoS) credit card fraud is like a tolerable yet mildly annoying chronic skin disease.

    The hotels don’t care, they have insurance and the attacks are infrequent and quickly forgotten.

    The card companies don’t care, their total losses from fraud are statistically small compared to overall profits, and the added cost of fraud is simply passed on to (and spread amongst) their customer-base.

    The card holders don’t care, the credit card companies “indemnify” them, even though in the end the card holders (as a group) end up paying for the fraud anyway.

    Law enforcement is useless. In-general, if you DON’T want something done, let Big Government do it – and that includes enforcing the law.

    Today, even optional easy to implement multi-factor authentication (MFA) would go a long way toward solving the credit card fraud problem. But you rarely see MFA implemented. Why? Because it’s like I said: The credit card companies don’t care, and neither do the customers.

    These hotel hacks you’re hearing about are just the tip of the iceberg. I am a Westerner living in Asia who travels frequently. I’m was tasty target with a vulnerable card-use profile – but statistically still just a drop in the bucket. I experienced credit card fraud in hotels, restaurants, and retail outlets too many times. Now I tend to use cash and (sometimes) traveler’s checks. I still use credit cards but very very selectively, and the card never leaves my sight.

    I’ve have explained all this to my credit card issuers many times. They are apologetic, but in the end – they don’t care.

  12. Perhaps I am simply missing it – but, what PoS brand is IHG using (Oracle Micros, NEC etc.)?

    • I think that’s private information and so you can’t get it which means the good news is that you didn’t miss anything the bad news is you were wrong about why you don’t have that information. But that’s ok I was wrong once myself: there was this one time – at band camp – wherein I thought I had been mistaken about something – but – turns out I wasn’t, as usual. Therefore in that one time (so far!) of my life I was wrong and so now I can empathize with you about how wrong you were and so why I’m posting this reply to you.

  13. As a restaurant IT exec…this is concerning. However, their failure was not implementing a simple end to end encrypted credit card reader system. We have them installed and if there was malware reading data…it would be useless data to the hacker.

    EMV is starting to get better but at one point not viable due to tipping..and how cards need to be preauthorized before and applying tip after final amount.

    Europe has it everywhere when I went, however their tipping isn’t a big part of their dining out culture.

Leave a comment