More than 1,200 hotels owned by the InterContinental Hotels Group (IHG) fell victim to a three-month-long malware attack last year that targeted customer payment card data.
According to a statement released by IHG, an investigation “identified signs of the operation of malware designed to access payment card data from cards used onsite at front desks at certain IHG-branded franchise hotel locations.”
The breach, which took place between September 29 and December 29, was initially reported by cybersecurity reporter Brian Krebs. IHG acknowledged the breach but at the time claimed that only 12 properties were involved. However, last week the company released data showing that the true number is more than a hundred times larger.
Malware targets many hotels
The IHG statement reported that the malware searched for track data – which sometimes has the cardholder name as well as the card number, expiration data, and internal verification code – by reading the magnetic stripe of payment cards as they were being routed through the affected hotel server.
The 1,200 hotels compromised represents more than a fifth of IHG’s properties. The British hotel conglomerate operates in over 100 countries and has a dozen brands – of which Holiday Inn, Crowne Plaza, Hotel Indigo, Candlewood Suites, and Staybridge Suites were affected.
IHG’s website includes a list of all the hotels that were breached. So far, it looks as though its scope is limited to the US and Puerto Rico.
With this breach, IGH joins a number of large hotel chains that have been targeted by cyber criminals over the past few years. Mandarin Oriental, Hilton, Kimpton Hotels (a private subsidiary of IHG), Trump Hotels (twice), and White Lodging (twice) have all acknowledged card breaches.
If you’re concerned about your organization’s susceptibility to card data breaches, you’ll be interested in IT Governance’s PCI Compliance Penetration Testing service.
The Payment Card Industry Data Security Standard (PCI DSS) applies to any company that transmits, processes, or stores payment card data, and compliance with the Standard requires penetration testing – from both outside the network trying to come in (external testing) and from inside the network (internal testing).
Penetration tests should also include network and application layer testing, as well as controls and processes around the networks and applications.