Posts Tagged: InterContinental Hotels Group


18
Apr 17

InterContinental Hotel Chain Breach Expands

In December 2016, KrebsOnSecurity broke the news that fraud experts at various banks were seeing a pattern suggesting a widespread credit card breach across some 5,000 hotels worldwide owned by InterContinental Hotels Group (IHG). In February, IHG acknowledged a breach but said it appeared to involve only a dozen properties. Now, IHG has released data showing that cash registers at more than 1,000 of its properties were compromised with malicious software designed to siphon customer debit and credit card data.

An Intercontinental hotel in New York City.

An Intercontinental hotel in New York City.

Headquartered in Denham, U.K., IHG operates more than 5,000 hotels across nearly 100 countries. The company’s dozen brands include Holiday Inn, Holiday Inn Express, InterContinental, Kimpton Hotels, and Crowne Plaza.

According to a statement released by IHG, the investigation “identified signs of the operation of malware designed to access payment card data from cards used onsite at front desks at certain IHG-branded franchise hotel locations between September 29, 2016 and December 29, 2016.”

IHG didn’t say how many properties total were affected, although it has published a state-by-state lookup tool available here. I counted 28 in my hometown state of Virginia alone, California more than double that; Alabama almost the same number as Virginia. So north of 1,000 locations nationwide seems very likely.

Update, April 19, 11:09 a.m. ET: Danish geek Christian Sonne writes that his research on the state lookup tool shows there are at least 1,175 properties on the list so far. The breakdown so far is: 1,175 properties across the USA and Puerto Rico in the following brands, Holiday Inn Express (781), Holiday Inn (176), Candlewood Suites (120), Staybridge Suites (54), Crowne Plaza (30), Hotel Indigo (11), Holiday Inn Resort (3).

Original story:

IHG has been offering its franchised properties a free examination by an outside computer forensic team hired to look for signs of the same malware infestation known to have hit front desk systems at other properties. But not all property owners have been anxious to take the company up on that offer. As a consequence, there may be more breached hotel locations yet to be added to the state lookup tool.

A letter from IHG to franchise customers, offering to pay for the cyber forensics examination.

A letter from IHG to franchise customers, offering to pay for the cyber forensics examination.

IHG franchises who accepted the security inspections were told they would receive a consolidated report sharing information specific to the property, and that “your acquiring bank and/or processor may contact you regarding this investigation.”

IHG also has been trying to steer franchised properties toward adopting its “secure payment solution” (SPS) that ensures cardholder data remains encrypted at all times and at every “hop” across the electronic transaction. According to IHG, properties that used its solution prior to the initial intrusion on Sept. 29, 2016 were not affected.

“Many more properties implemented SPS after September 29, 2016, and the implementation of SPS ended the ability of the malware to find payment card data,” IHG wrote. Continue reading →


6
Feb 17

InterContinental Confirms Breach at 12 Hotels

InterContinental Hotels Group (IHG), the parent company for thousands of hotels worldwide including Holiday Inn, acknowledged Friday that a credit card breach impacted at least a dozen properties. News of the breach was first reported by KrebsOnSecurity more than a month ago.

Top of the Mark, San Francisco, one of the bars impacted by the IHG card breach.

Top of the Mark, San Francisco, one of the bars impacted by the IHG card breach.

In a statement issued late Friday, IHG said it found malicious software installed on point of sale servers at restaurants and bars of 12 IHG-managed properties between August and December 2016. The stolen data included information stored on the magnetic stripe on the backs of customer credit and debit cards — the cardholder name, card number, expiration date, and internal verification code.

A list of the known breached locations is here. IHG said cards used at the front desk of these properties were not affected.

According to IHG, we may not yet know the full scope of this breach: The company advised that its investigation into other properties in the Americas region is ongoing.

Card-stealing cyber thieves have broken into some of the largest hotel chains over the past few years. Hotel brands that have acknowledged card breaches over the last year after prompting by KrebsOnSecurity include Kimpton HotelsTrump Hotels (twice), Hilton, Mandarin Oriental, and White Lodging (twice). Card breaches also have hit hospitality chains Starwood Hotels and Hyatt. Continue reading →


28
Dec 16

Holiday Inn Parent IHG Probes Breach Claims

InterContinental Hotels Group (IHG), the parent company for more than 5,000 hotels worldwide including Holiday Inn, says it is investigating claims of a possible credit card breach at some U.S. locations.

An Intercontinental hotel in New York City. Image: IHG

An Intercontinental hotel in New York City. Photo: IHG.

Last week, KrebsOnSecurity began hearing from sources who work in fraud prevention at different financial institutions. Those sources said they were seeing a pattern of fraud on customer credit and debit cards that suggested a breach at some IHG properties — particularly Holiday Inn and Holiday Inn Express locations.

Asked about the fraud patterns reported by my sources, a spokesperson for IHG said the company had received similar reports, and that it has hired an outside security firm to help investigate. IHG also issued the following statement:

“IHG takes the protection of payment card data very seriously. We were made aware of a report of unauthorized charges occurring on some payment cards that were recently used at a small number of U.S.-based hotel locations.  We immediately launched an investigation, which includes retaining a leading computer security firm to provide us with additional support.  We continue to work with the payment card networks.”

“We are committed to swiftly resolving this matter. In the meantime, and in line with best practice, we recommend that individuals closely monitor their payment card account statements.  If there are unauthorized charges, individuals should immediately notify their bank. Payment card network rules generally state that cardholders are not responsible for such charges.”

Headquartered in Denham, U.K., IHG operates more than 5,000 hotels across nearly 100 countries. The company’s dozen brands include Holiday Inn, Holiday Inn Express, InterContinental, Kimpton Hotels, and Crowne Plaza. Continue reading →