InterContinental Hotel Group, the U.K.-based hospitality group which owns and operates brands like Crown Royale and Holiday Inn, recently reported finding malware in 1,200 of its U.S. franchise hotel locations. The malware looks to have been designed to steal guests’ payment card information.
The breach, which reportedly could have affected cards left at the front desk between September and the end of December 2016, came to light after card networks warned the hotels that unauthorized charges had been made on cards that had been used legitimately at their locations, said Finextra.
While the risk of a breach had been known and an investigation launched at the end of last year, the full scale of the malware had not been discovered until more recently. The investigation has since found that the malware was created to look for track data from the magnetic stripe — information like card numbers, expiration dates, verification codes and occasionally cardholder names.
A spokesperson for IHG had provided the following statement: “IHG takes the protection of payment card data very seriously. We were made aware of a report of unauthorized charges occurring on some payment cards that were recently used at a small number of U.S.-based hotel locations. We immediately launched an investigation, which includes retaining a leading computer security firm to provide us with additional support. We continue to work with the payment card networks.”
“We are committed to swiftly resolving this matter. In the meantime, and in line with best practice, we recommend that individuals closely monitor their payment card account statements. If there are unauthorized charges, individuals should immediately notify their bank. Payment card network rules generally state that cardholders are not responsible for such charges.”
Last year saw a record number of data breaches hit the U.S., up 40 percent from 2015. The financial services industry accounted for only 4.8 percent, less than business, health care, education and the government and military.