Sunday, 22 April, 2018

IHG Credit Card Breach May Impact 1000-Plus Hotels

Hotel Intercontinental REUTERS Leonhard Foeger File
Nellie Chapman | 20 April, 2017, 07:30

This breach affects more properties than the first payment card data breach IHG confirmed in February, which affected card payments at 12 hotels in the USA and Caribbean. While the impact of the breach on financial institutions is as yet unknown, the figures reported by IHG would make this breach one of the largest hotel company data breaches in recent years. The page also contains a caveat that a "small percentage of IHG-branded franchise properties did not participate in the investigation", which is definitely not enough information.

The latest breach occurred for transactions made between September 29, 2016 and December 29, 2016 and the company says there is no evidence any cards were compromised after this date.

It's a good bet that none of the above-mentioned companies were running point-to-point encryption (P2PE) solutions before they started hemorrhaging customer credit cards.

This is the second breach the company has revealed this year.

The attack hijacked information taken from the payment cards' magnetic strips as it was being routed through the hotels' computer servers, said the hotel group.

Buckinghamshire-based IHG had previously reported in February that a dozen U.S. hotels that it managed itself had been affected by the same attack.

IHG also has been trying to steer franchised properties toward adopting its "secure payment solution" (SPS) that ensures cardholder data remains encrypted at all times and at every "hop" across the electronic transaction.

InterContinental says that the investigation at all locations isn't yet complete, and to keep checking back. The malware generated unauthorized charges on those cards, IHG says.

Customers at ten CT hotels may have had their credit card information stolen according to the company that manages the properties.

On behalf of franchisees, IHG has been working closely with the payment card networks as well as with the cyber security firm to confirm that the malware has been eradicated and evaluate ways for franchisees to enhance security measures.

The ramifications of the malware infection was mitigated a little with group's roll out of an encrypted payment acceptance system.

The breach, which security journalist Brian Krebs reported was being investigated in December, occurred between September and December past year.

For potential victims, however, it's worth noting that users of credit cards are generally not liable for fraudulent charges if they report them in a timely manner.