February 6, 2017

InterContinental Hotels Group (IHG), the parent company for thousands of hotels worldwide including Holiday Inn, acknowledged Friday that a credit card breach impacted at least a dozen properties. News of the breach was first reported by KrebsOnSecurity more than a month ago.

Top of the Mark, San Francisco, one of the bars impacted by the IHG card breach.

Top of the Mark, San Francisco, one of the bars impacted by the IHG card breach.

In a statement issued late Friday, IHG said it found malicious software installed on point of sale servers at restaurants and bars of 12 IHG-managed properties between August and December 2016. The stolen data included information stored on the magnetic stripe on the backs of customer credit and debit cards — the cardholder name, card number, expiration date, and internal verification code.

A list of the known breached locations is here. IHG said cards used at the front desk of these properties were not affected.

According to IHG, we may not yet know the full scope of this breach: The company advised that its investigation into other properties in the Americas region is ongoing.

Card-stealing cyber thieves have broken into some of the largest hotel chains over the past few years. Hotel brands that have acknowledged card breaches over the last year after prompting by KrebsOnSecurity include Kimpton HotelsTrump Hotels (twice), Hilton, Mandarin Oriental, and White Lodging (twice). Card breaches also have hit hospitality chains Starwood Hotels and Hyatt.

In many of those incidents, thieves planted malicious software on the point-of-sale devices at restaurants and bars inside of the hotel chains. Point-of-sale based malware has driven most of the credit card breaches over the past two years, including intrusions at Target and Home Depot, as well as breaches at a slew of point-of-sale vendors. The malware usually is installed via hacked remote administration tools. Once the attackers have their malware loaded onto the point-of-sale devices, they can remotely capture data from each card swiped at that cash register.

Thieves can then sell that data to crooks who specialize in encoding the stolen data onto any card with a magnetic stripe, and using the cards to purchase high-priced electronics and gift cards from big-box stores like Target and Best Buy.

Readers should remember that they’re not liable for fraudulent charges on their credit or debit cards, but they still have to report the unauthorized transactions. There is no substitute for keeping a close eye on your card statements. Also, consider using credit cards instead of debit cards; having your checking account emptied of cash while your bank sorts out the situation can be a hassle and lead to secondary problems (bounced checks, for instance).


28 thoughts on “InterContinental Confirms Breach at 12 Hotels

  1. J

    What strain of malware was used and how can other companies check for it?

    1. IHG (I Have Gas)

      A Highly Sophisticated malware strain was used. Other Companies need to be protecting themselves from any kind of attacks, not just this one. IOCs from one breach may not be valid for other attacks, specially once it has been found and has been known for over a month. Make sure you are protecting, logging and monitoring rather than focusing on one malware strain!

    1. Sam

      That would be ‘breaches’. Nothing possessive about them.

      At least you fixed the ‘iTune’ nonsense, though so that’s commendable. I suppose.

  2. Dejan

    They can stole your data, than your money, but no chargeback for that. Am I right?

  3. bobl

    You would think that the hotel where these breaches are occurring would be very concerned about THEIR reputation. After all, you stay at the hotel and spend money in the restaurants, etc. If my account had been hacked at one of these hotels, you can bet I would never stay there again. Remember, a happy guest tells 10 friends, while a dissatisfied one tells the world. There are many many methods to spread the bad word.

    I realize that the shops and other establishments at a hotel property are private companies and separate from the hotel operations, but doesn’t the hotel have some sort of responsibility to the public? Sort of “Clean up your act, or get out” type responsibility?

    1. mike

      Clearly it’s in the best interests of hotels to protect their customers from cybercriminals. It is for any business.

      The problem is that when committing fraud becomes more difficult at some companies, the fraudsters will rotate toward more vulnerable targets.

      In this case, a lot of banks and online retailers have hardened their defenses, so the fraudsters will take the hard won tactics they’ve perfected there to attack other arguably less-sophisticated organizations – in this case hotels.

      There’s a ton going on for travel companies these days. Mobile apps are plenty and competition is tough. Hotels want easy interactions with customers, and customers want carefree transactions. Fraudsters see opportunity here and EMV technology is also moving cybercrime online.

      I’m not defending the lax security measures by any means, but many of these crime rings are well organized professional operations. It’s very challenging for any company to go it alone. Hotels can’t just take security for granted or expect their technology vendors to protect them. They’ll need to embrace the security challenges or 2017 may be a very difficult year indeed.

  4. christy

    Why is Trump hotel ALWAYS getting hacked, is anyone monitoring these hotels to see if once they are hacked they are taking the proper action to secure their systems?

  5. Mike

    Most of the cyber defense that is considered “state of the art” is broken. Hotels like this one spent millions of dollars on perimeter based defense such as intrusion detection, 2nd gen firewalls and 2nd gen endpoint solutions. Unfortunately, that strategy doesn’t work. Many attacks are stopped but all it takes is one to get through to the internal networks. They will get in.

    So, how will you know if there is an attacker in your network? how will you understand their intentions? How will you stop the attack and return to normal operations?

    The leading edge of this is technology such as moving target defense (MTD) and deception technology. These technologies are complementary – they help obfuscate and camouflage your real IT resources. IN the case of deception they engage and then trap the intruders. Automation can isolate and then shut down the attack.

    Intercontinental is a relatively innocent victim in an escalating wave of cyber crime sponsored by scum sucking criminals. It is not their fault. Almost 99.999% of the hotels out there would fall to the same attack vector. In fact, some have and just don’t know it yet!

    1. Catwhisperer

      The only safe computer is one that isn’t connected to the Internet. However, the only absolutely safe computer is one that isn’t powered up.

  6. AWSitte

    IMHO… the commercial sector is intentionally deciding to avoid building effective information security programs. By doing so, they are intentionally deciding to push any risk of compromise to their customers and business partners.
    The only historical analogies I can think of were the debates of manufacturers putting safety belts in cars in the 1950s-1970s and the implementation of safety gear and safety equipment in manufacturing workplaces in the 1950s through 1980s.
    What makes this more difficult: These breaches are bloodless in the eyes of most people. Unless someone is suffering physically, nobody seems to care.

  7. mandarinki

    No surprise!
    my only guestion is this if illuminati is as fact
    behind the all cybercrime and fraud then why they
    put they own members in jail ? Are those cybercriminals
    are duped by illuminati ? is illuminati only use them as idiots?
    Those poor soviets and aftican igbos.
    can anyone answer this question here?

  8. Jim

    I keep remembering an old story line from yonder. And looking for repeats. The story was infiltrating a bank program, by using a special card, and hunting down the numbers thru the wiring. A certain burst frequency. With computers, that would be investigating certain ports. Even the report Back, would have to carry the feedback. Even now, especially, when we use the data card, it could capture the response and the circuit information.
    Everyone knows the ones and zeros mean data, but do they realize, data can mean programs?

  9. Eric

    What I find interesting with hotel breaches is that most of the time the breach is at the restaurant/bar and rarely at the front desk.

    When I am in a hotel, I usually just charge it to the room.

    1. Old School

      Smart observation. Whenever I’ve had my information stolen, I can usually trace when it occurred to when I handed my card to someone, who, when I contact the business after my bank contacts me, no longer works there…

    2. Stratocaster

      Indeed. Sounds like a good argument for not dining in a hotel restaurant unless you are also staying at the hotel.

  10. Drone

    To Society, Point-of-Sale (PoS) credit card fraud is like a tolerable yet mildly annoying chronic skin disease.

    The hotels don’t care, they have insurance and the attacks are infrequent and quickly forgotten.

    The card companies don’t care, their total losses from fraud are statistically small compared to overall profits, and the added cost of fraud is simply passed on to (and spread amongst) their customer-base.

    The card holders don’t care, the credit card companies “indemnify” them, even though in the end the card holders (as a group) end up paying for the fraud anyway.

    Law enforcement is useless. In-general, if you DON’T want something done, let Big Government do it – and that includes enforcing the law.

    Today, even optional easy to implement multi-factor authentication (MFA) would go a long way toward solving the credit card fraud problem. But you rarely see MFA implemented. Why? Because it’s like I said: The credit card companies don’t care, and neither do the customers.

    These hotel hacks you’re hearing about are just the tip of the iceberg. I am a Westerner living in Asia who travels frequently. I’m was tasty target with a vulnerable card-use profile – but statistically still just a drop in the bucket. I experienced credit card fraud in hotels, restaurants, and retail outlets too many times. Now I tend to use cash and (sometimes) traveler’s checks. I still use credit cards but very very selectively, and the card never leaves my sight.

    I’ve have explained all this to my credit card issuers many times. They are apologetic, but in the end – they don’t care.

    1. Not a friend

      Pure fluff. They knew they were not PCI compliant.

  11. Bill Green

    Perhaps I am simply missing it – but, what PoS brand is IHG using (Oracle Micros, NEC etc.)?

    1. Sam

      I think that’s private information and so you can’t get it which means the good news is that you didn’t miss anything the bad news is you were wrong about why you don’t have that information. But that’s ok I was wrong once myself: there was this one time – at band camp – wherein I thought I had been mistaken about something – but – turns out I wasn’t, as usual. Therefore in that one time (so far!) of my life I was wrong and so now I can empathize with you about how wrong you were and so why I’m posting this reply to you.

      1. Curmudgeon

        Just BEING at band camp indicates a serious error in judgment.

  12. Redliner

    As a restaurant IT exec…this is concerning. However, their failure was not implementing a simple end to end encrypted credit card reader system. We have them installed and if there was malware reading data…it would be useless data to the hacker.

    EMV is starting to get better but at one point not viable due to tipping..and how cards need to be preauthorized before and applying tip after final amount.

    Europe has it everywhere when I went, however their tipping isn’t a big part of their dining out culture.

  13. Listening & Learning

    As a Hospitality IT Veteran experienced cleaning up PCI messes, most hotel company executives don’t understand or value IT, its very hard to convince people to spend money or time on security when people are highly incentive to make profits, they will ignore costs for proper security. Hospitality is a manage-up industry with high turnover, executives have to work harder managing bosses/owners ego’s and delivering bigger profits than actually managing the asset.

    Many IT people in hospitality are former accounting people or the guy who knew most about computers at the time. A large portion of hospitality IT people think money is first (again accountants – that’s their mindset). Even if they are not accountants, almost all report to Finance Executives who’s bonus is based on spending the least possible and make the most for the resort.

    Also, IT is a “hidden” department, guests don’t see IT so hotel companies don’t spend the same money or the proper resources on it as they would making sure the grass is cut properly. Hotels are completely focused on profit – so what the guest see’s is #1 – you can have a huge hole in a roof if its in a back hallway as long as its not in the guest area…its a sin. Many management companies and owners roll the dice on a lot of borderline practices in the name of profits, they look at IT as a necessary evil and just want things to work…as cheap as possible. Its about the bottom line (period).

    A word of advise…previous people on this string have mentioned to charge to your room…that’s great advise since 95% of the time the breach occurs on the Restaurant Point of Sale or retail systems however there are Front Desk systems out their vulnerable too.

    Someone made a comment that it was hard to know what systems got compromised but all you need to do is find the press releases before the hack, many companies like to brag when they install a new technology…handing the hacker great information on what system to target. The leading software vendor in the hospitality industry has typically been Oracle (former Micros) systems. The most installed Front Desk System (known as PMS) – Property Management System is Opera – also Oracle and former Micros product too. The top 3 Restaurant Point of Sale systems are installed in 95% of all hotel chains and hackers know this.

    Another issue is that its an low paying industry for IT professionals…and the industry gets what it pays, real IT professionals are far and few between. You can find more former accountants as IT Managers than career IT people as IT Managers.

    Hospitality companies should realize it is their fault for not following PCI standards and getting breached – if any of these companies followed PCI 100% they wouldn’t have been breached. Its achievable but the cost is considered too high however profits are higher so greed kicks in…until they get breached then comes the knee jerk reaction.

    In the end, the merchant (hotel/restaurant/etc) should assume the responsibility, you hear them say…”their credit card processor isn’t ready so that’s why they don’t use P2P/Chip Card readers” that’s a cop-out. Follow PCI requirements and find a solution – they are out there. You may not be able to integrate it fully with your accounting system but it will protect you from ending up on the breach list. Its like gambling, you eventually lose out…however I’m willing to gamble we here about another hospitality company breach coming to a hotel near you very soon.

  14. laura ann

    Any stores with breaches past and present have damaged reputations ongoing, people pass info down for years. Use cash or prepaid debit. Gas stations here in my area near Fla. line had skimmers, people arrested this past week. Prepaid gas cards or cash, nothing else. Ditto for dining out places as skimmers have been used.

Comments are closed.