IHG Hack Hit Hospitality Guests in the Wallet

In December 2016, hotel conglomerate IHG announced a data breach that affected credit card transactions in restaurants and shops at approximately a dozen hotels. Last week, the company provided a bit of clarity on the word "approximately": After further investigation, it seems that customers at more than 1,000 hotels might have been hit by credit card theft.

A Danish researcher, Christian Sonne, walked through the list of affected hotels and put the minimum number at 1,175. For customers, though, the issue might be less, "how many hotels" and more, "how will this affect me?"

Image: Creative Commons License by teadrinker

In a report on the incident, researchers at Kaspersky Labs note that the breach was due to malware on the servers they use to process credit cards. The malware captured "track data" -- information on credit cards' magnetic stripes, including the card number, expiration date and internal verification code.

IHG acknowledged that the breaches were active through at least December 29, 2016, though there's no certainty that the malware was eliminated until the breach was investigated in February and March of this year. The hospitality industry as a whole has been hit hard by breaches of this sort; in a blog post on the subject, security researcher Brian Krebs wrote, "Hotel brands that have acknowledged card breaches over the last year after prompting by KrebsOnSecurity include Kimpton Hotels, Trump Hotels (twice), Hilton, Mandarin Oriental and White Lodging (twice). Card breaches also have hit hospitality chains Starwood Hotels and Hyatt."

Some commentators have criticized IHG for the website on which they list the properties known to have been affected by the breach. The location website asks users to walk through a number of drop-down menus in order to find the hotels in a particular city that were hit by the malware. The listing, while complete, can be cumbersome, especially for business travelers who might have stayed in a number of different properties during the time of the attacks.

In the announcement of the breaches, IHG notes that their new payment system makes the type of attack impossible and assures customers that all malware and traces of the attack have been removed from the IHG systems.

— Curtis Franklin, Security Editor, Light Reading. Follow him on Twitter @kg4gwa.