A couple of days after Christmas, InterContinental Hotels Group (IHG) admitted that a number of their 5,000 hotels around the globe had been affected by a data breach.
It was reported that debit and credit information may have been stolen.
Some customers who visited those affected hotels have already reported fraudulent transactions on their bank accounts. Unfortunately, this New Year might not be the fresh start many were hoping for.
The perpetrators seemed to mainly target two of IHG’s main US hotels: Holiday Inn and Holiday Inn Express. Other IHG hotels including Kimpton Hotels, Crowne Plaza, Staybridge Suites, have not confirmed whether they were also affected. Shortly after they were made aware of the situation, IHG hired an external cybersecurity firm for help, as well as started investigations into the incident.
IHG then gave a rather typical and entirely predictably statement saying that they were taking the situation “very seriously”. Hearing this phrase so many times, one can’t help but cringe a little and think a little cynically: “right… if only you took it seriously enough in the first place to prevent this from happening at all”!
The statement also says that they are only aware of a ‘small’ number of US based hotel locations being affected. Now that doesn’t seem to bad, does it? But take a second to just think of how many visitors a large international hotel gets per day. These hotels typically have thousands of rooms and a lot of those will include couples or families. The international nature of hotels means that people from all over the globe may have visited the hotels, and upon returning to their home countries, they might not be aware of what’s happened.
The hotels are suspected of being affected by malware installed at Point-of-Sale (POS) systems. When payments are made at these points, the malware could make a copy of it, and the perpetrator could gain information such as the cardholders’ names, their card numbers, expiry dates, and their CVV codes: everything you need to make online transactions!
This isn’t the first time IHG has been involved in this sort of situation. Not long ago, 20 hotel chains were affected by similar malware that steals credit and debit card data at P.O.S servers. InterContinental’s Kimpton Hotels and restaurants was one of those hotels affected. It’s arguable that IHG should have learned then to make sure they had the security in place to prevent a similar incident from happened again.