Hotel Card Data Breach Hits 1,200 US Locations, Sold on Dark Web

The $10 billion major British multinational hotels company InterContinental Hotels Group (IHG), which operates 5,028 hotels and 742,000 rooms across 100 countries, revealed that 1,200 hotels managed under the IHG management have been infected with sophisticated malware designed specifically to breach into servers and databases that handle sensitive financial information and client data.

In December of 2016, KrebsOnSecurity, a cyber security research company, reported that IHG tasked a group of investigators and security experts to look into possible security breaches at US-based IHG hotel locations.

Several sources of KrebsOnSecurity confirmed that financial information-targeting malware was distributed across IHG properties including Holiday Inn and Holiday Inn Express hotels in the US. Representatives of IHG reaffirmed that a series of potential security breaches across various servers of IHG hotel locations were being investigated and urged clients who experienced unauthorized charges to contact their respective credit card networks and banks.

Representatives of IHG told KrebsOnSecurity:

“IHG takes the protection of payment card data very seriously. We were made aware of a report of unauthorized charges occurring on some payment cards that were recently used at a small number of U.S.-based hotel locations. We immediately launched an investigation, which includes retaining a leading computer security firm to provide us with additional support. We continue to work with the payment card networks. We recommend that individuals closely monitor their payment card account statements. If there are unauthorized charges, individuals should immediately notify their bank. Payment card network rules generally state that cardholders are not responsible for such charges.”

This week, IHG confirmed that more than 1,200 hotels were hit with the same malware discovered in late 2016. Local publications including Finextra reported that previous breaches could have affected credit cards managed at the front desk of the 1,200 hotels within 3-month period between September and December of 2016.

According to IHG’s internal investigative group, the malware was tasked to track, record and transmit any financial data related to clients and their listed credit cards. Card numbers, expiration dates, internal verification code and names were routed from local hotel servers to external servers. Analysts stated that there exists a high probability of the affected client data currently being sold on dark web marketplaces. If true, this theory explains why a large number of IHG customers experienced unauthorized transactions from their credit cards and the reason IHG had to issue a nationwide warning to IHG customers and clients in regard to the safety of their financial information.

Upon the completion of the internal investigation, IHG plans to tighten and enhance security measures of IHG-managed hotels worldwide. Representatives of IHG stated that franchisees and other hotel locations that implemented IHG’s recommended peer to peer (P2P) encryption payment technology before September of 2016 were not affected by the malware.

As soon as the investigation is closed, IHG will likely request all of its hotels and subsidiary companies to implement their P2P encryption payment technology on top of other updates to their infrastructure. One financial security technology that is utilized by several multi-billion dollar corporations such as IBM is called the Safeguard. The technology autonomously detects potential security breaches and unidentified access to a financial network. If the Safeguard successfully censors an attack, the entire financial network will be shut down temporarily to recover from the attack.