April 18, 2017

In December 2016, KrebsOnSecurity broke the news that fraud experts at various banks were seeing a pattern suggesting a widespread credit card breach across some 5,000 hotels worldwide owned by InterContinental Hotels Group (IHG). In February, IHG acknowledged a breach but said it appeared to involve only a dozen properties. Now, IHG has released data showing that cash registers at more than 1,000 of its properties were compromised with malicious software designed to siphon customer debit and credit card data.

An Intercontinental hotel in New York City.

An Intercontinental hotel in New York City.

Headquartered in Denham, U.K., IHG operates more than 5,000 hotels across nearly 100 countries. The company’s dozen brands include Holiday Inn, Holiday Inn Express, InterContinental, Kimpton Hotels, and Crowne Plaza.

According to a statement released by IHG, the investigation “identified signs of the operation of malware designed to access payment card data from cards used onsite at front desks at certain IHG-branded franchise hotel locations between September 29, 2016 and December 29, 2016.”

IHG didn’t say how many properties total were affected, although it has published a state-by-state lookup tool available here. I counted 28 in my hometown state of Virginia alone, California more than double that; Alabama almost the same number as Virginia. So north of 1,000 locations nationwide seems very likely.

Update, April 19, 11:09 a.m. ET: Danish geek Christian Sonne writes that his research on the state lookup tool shows there are at least 1,175 properties on the list so far. The breakdown so far is: 1,175 properties across the USA and Puerto Rico in the following brands, Holiday Inn Express (781), Holiday Inn (176), Candlewood Suites (120), Staybridge Suites (54), Crowne Plaza (30), Hotel Indigo (11), Holiday Inn Resort (3).

Original story:

IHG has been offering its franchised properties a free examination by an outside computer forensic team hired to look for signs of the same malware infestation known to have hit front desk systems at other properties. But not all property owners have been anxious to take the company up on that offer. As a consequence, there may be more breached hotel locations yet to be added to the state lookup tool.

A letter from IHG to franchise customers, offering to pay for the cyber forensics examination.

A letter from IHG to franchise customers, offering to pay for the cyber forensics examination.

IHG franchises who accepted the security inspections were told they would receive a consolidated report sharing information specific to the property, and that “your acquiring bank and/or processor may contact you regarding this investigation.”

IHG also has been trying to steer franchised properties toward adopting its “secure payment solution” (SPS) that ensures cardholder data remains encrypted at all times and at every “hop” across the electronic transaction. According to IHG, properties that used its solution prior to the initial intrusion on Sept. 29, 2016 were not affected.

“Many more properties implemented SPS after September 29, 2016, and the implementation of SPS ended the ability of the malware to find payment card data,” IHG wrote.

Card-stealing cyber thieves have broken into some of the largest hotel chains over the past few years. Hotel brands that have acknowledged card breaches over the last year after prompting by KrebsOnSecurity include Kimpton HotelsTrump Hotels (twice), Hilton, Mandarin Oriental, and White Lodging (twice). Card breaches also have hit hospitality chains Starwood Hotels and Hyatt

In many of those incidents, thieves planted malicious software on the point-of-sale devices at restaurants and bars inside of the hotel chains. Point-of-sale based malware has driven most of the credit card breaches over the past two years, including intrusions at Target and Home Depot, as well as breaches at a slew of point-of-sale vendors. The malicious code usually is installed via hacked remote administration tools. Once the attackers have their malware loaded onto the point-of-sale devices, they can remotely capture data from each card swiped at that cash register.

Thieves can then sell that data to crooks who specialize in encoding the stolen data onto any card with a magnetic stripe, and using the cards to purchase high-priced electronics and gift cards from big-box stores like Target and Best Buy.

It’s a good bet that none of the above-mentioned companies were running point-to-point encryption (P2PE) solutions before they started hemorrhaging customer credit cards. P2PE is an added cost for sure, but it can protect customer card data even on point-of-sale systems that are already compromised because the malware can no longer read the data going across the wire.

Readers should remember that they’re not liable for fraudulent charges on their credit or debit cards, but they still have to report the unauthorized transactions. There is no substitute for keeping a close eye on your card statements. Also, consider using credit cards instead of debit cards; having your checking account emptied of cash while your bank sorts out the situation can be a hassle and lead to secondary problems (bounced checks, for instance).

35 thoughts on “InterContinental Hotel Chain Breach Expands

  1. B_Brodie

    Kudos to the home office for working to implement a secure payment solutions before the breach.

    Not so much to local management who decided to put off implementation for reasons of cost or ‘convenience’…

  2. Robin

    Apart from checking statements, there’s nothing the user can actually do to protect themselves in advance, is there?

    1. Farooq

      Change your credit card information; tell your company that you may possibly be a victim of the IHG breach and that you’d like a new Credit Card number.

    2. steve

      Get yourself a Discover Card and download their app to your smartphone. The Discover Card allows you to easily lock and unlock your account for use quickly. Keep your account locked at all time except for those few minutes you need to use it, like at a restaurant or gas station after they swipe your card lock the account. It works great from me. Takes me less than 30 seconds to unlock and re-lock. I use an iPhone and the fingerprint scanner. The Discover phone app lets you login by fingerprint too. I can pull up to a gas station pump unlock my iPhone in seconds using a fingerprint, touch the Discover app to open and login with my fingerprint again, unlock the card get out of my car pump gas get back in card and lock it. Easy peasy. They may steal your card number but it will only be useful during those 30 seconds you chose to unlock and use the card. That effectively renders your card number useless to a crook.

      1. Jim

        Dream on. Again, you are using an insecure device, apple is as secure as windows, Linux and Android. Even there are reports that apple pay is busted or traceable. And ever heard of device cloning? I have, and I’m not up on the latest, but,they can…
        Secondary, you use a electronic device near gas vapors, the device can be a source of static discharge, no thank you. Even in California you can smell the gas in the air around a pump, that’s enough to flash, and remove your eyebrows.

        1. JCitizen

          I don’t think he was using the phone as a payment device, only as a way to turn on and off his card usage. He would still swipe his Discover card in a POS during a sale. I like the idea, but I don’t really need a cell phone, so maybe one day I will, if I ever have to trade my phone in.

      2. Nancy

        Many institutions now offer this option. Check with your bank or credit union to see if they offer CardValet by Fiserv. Excellent smartphone app that allows you to “turn off” your card until you need to use it.

      3. Astra Wally

        That’s of course if you do not use your card for hotels, airlines, utilities, recurring payments, iTunes etc all which can authorize payment against your card at any arbitrary time.

        The card lock/unlock is a good idea but only if you use your card for card present, over the counter purchases.

        Current mandates from Visa and MasterCard are requiring banks to start to introduce purchase alerts, that is alerting the customer when an authorization is made rather than checking the statement weeks afterwards. My bank already offers this an it is invaluable in terms of letting me known when authorizations have taken place.

        Note – as per the opening statement, the notifications confirm that authorizations for card not present purchases happen at the daftest hours..

    3. Eric E

      Robin – best thing you can proactively do is use services like Apple Pay that dynamically generate one time use cc card numbers if at a physical location. Online many credit cards offer services to generate one time use numbers but services like Apple Pay are far more convenient.

      Letting companies know that how well they do or don’t treat your credit card transactions is a factor in deciding if to do business with them never hurts either. The more people do this the more pressure companies will feel to modernize their payment systems.

    4. Vog Bedrog

      You’re already protected by your card scheme and by your bank – as long as you report any fraud quickly you won’t lose anything. If you want to ensure you’re not funding any criminal enterprise (due to this breach at least), replace any cards you’ve used.

  3. jvb

    Too many breaches. and who they blame for it ?
    communist kabbalists are really serious i can see
    all they know is how to steal.
    as we call this breaches road to chip under skin

    1. Haiku much

      Man, I was just thinking the EXACT same thi…..ok, I’m lying. That’s either broken English or a Haiku gone wrong.

      1. JCitizen

        Looks like Haiku gone right to me! The beauty of art is in the eye of the beholder.

  4. David

    If the retailers were fully liable for all of the costs associated with the breach including reimbursing customers, reissuing cards and paying compensation I’m sure they would be more interested in adopting secure systems.

  5. Dan. R.

    I just got a notice in the mail regarding this, and will close the credit card I used for my reservation. This is like the 6th breach I have been part of. Im getting tired of it, the worst was OPM.

  6. to dan

    But bank will reinburse your loss.
    what u are stressed? I many times even
    transfered money from my account to
    someone else account. Coz i called and said hackers stole my money lol…
    Then bank reinbursed 100%
    Easy biizy 🙂

    1. nad ot

      Why? What is the incentive to come on here and post things like this? Who would pay for it?

  7. Stephen

    If the Company is offering to make sure that a franchise hotel is free of malware and not charge the franchisee anything, what on earth could they use as an excuse for not having it done? I am going on a cross country trip in August and you can bet when I make my reservations at the Holiday Inn Express hotels along the way, I am going to call each hotel and ask if they have the SPS in place. If not I will not use them.

    1. Joe Moore

      I seriously doubt the chain is offering “to make sure that a franchise hotel is free of malware”. That would cost serious bucks. I suspect they will only be looking for a specific malware variant on only systems used for payment acceptance. I expect we’ll now have miscreants calling the franchises claiming to be the PFIs, and asking front desk clerks to browse to the download site for their remote “investigating” tool…

      1. BrianKrebs Post author

        It was to help them do an examination of their front-desk systems only. I included that as a follow-up edit just minutes after publishing the story to clarify. I’m guessing you’re looking at a cached version of the story.

      2. Hans Jiery

        Many hoteliers are very unsophisticated and the industry in general has a poor record of putting the necessary dollars into I.T. at the property level or at corporate.

  8. Gaythia Weis

    What an awful lookup tool IHG provided!!!
    It is not always obvious, when traveling, which town a property may actually have as a formal address. And, then, in the case that I did verify that information online and look up the property on this tool, it is not listed. Which, I learn can mean that they are not affected, IHG hasn’t figured that out yet, or that they are a franchise that refused to participate. What does it mean to take the corporate name and be a franchise then? IHG of course, knows perfectly well which properties I’ve stayed in. Why don’t they take it upon themselves to tell me?

  9. vb

    “A fool and his money are soon parted” In the case of these breaches, it’s clear that the data intelligence of the hackers is about an order of magnitude greater than that of the restaurant/hotel operators.

    I once read of a sociopath who considered it his *duty* to take money from fools. Some fools know that they need protection. Apparently not these fools.

  10. Brogrammer

    Let me just say that I just found your website like 2 weeks ago and wow. I’ve been reading your previous posts and they are great! I finally got the courage to comment, considering IHG is my go-to hotel I was very interested in this post. I immediately checked the online tool right away.

    You website is now bookmarked, and that is saying a lot considering I’m a computer engineer and I’m very picky. Keep it up!

    P.S. – to the user named “to dan” you’re a moron. (sorry, but I hate dishonest people)

  11. ando

    I see now..we need home land security, police must have bigger power to catch up bad guys !!
    Bad guys must be in jail we need urgently Martial Law Asap

  12. Barry

    Say, how about those Trump hotels? You’d think they would be a natural target for hackers looking for a trophy …

  13. Grant

    I suspect the potential window for malfeasance is somewhat longer than the one or two months stated for each property on the lookup website. When you call to make a reservation, for example, the front desk confirms you have a card on-file with them. And they appear to know the account number.
    Is it possible that gets skimmed-off too, by the malware? So you needn’t have physically swiped or dipped at the hotel location during the period in question?

  14. VAT registered UK company

    In the course of recent months there have been many issues with Credit sellers and Advertisers.Legal agencies should keep us educated about the credit card frauds.

  15. Mrs. N

    Instead of recommending we check our statements carefully, IHG ought to pay for a year of credit monitoring.

    Additionally, they should have come clean a lot sooner. My affected stays were in NOVEMBER and they’re just now getting around to saying something. Some time back, my credit union caught the unauthorized card activity and shut it down. Not a peep from IHG. Not a breath of a hint.

  16. Night King

    The Night King is hoping Donald Trump apprehends and punishes the ‘bad hombres’ who stealing US citizen information.

  17. MalwareMolly

    Have there been any IOC released for this breach?

  18. Eric

    Got my notice the other day. They were kind enough to inform me that I should be vigilant in looking for fraudulent activity. I can also request a free credit report from the big three each year. They obviously really care about their guests

Comments are closed.