Malware on IHG servers sent credit card info to stay with thieves.

Curtis Franklin, Security Editor

April 20, 2017

2 Min Read
IHG Hack Hit Hospitality Guests in the Wallet

In December 2016, hotel conglomerate IHG announced a data breach that affected credit card transactions in restaurants and shops at approximately a dozen hotels. Last week, the company provided a bit of clarity on the word "approximately": After further investigation, it seems that customers at more than 1,000 hotels might have been hit by credit card theft.

A Danish researcher, Christian Sonne, walked through the list of affected hotels and put the minimum number at 1,175. For customers, though, the issue might be less, "how many hotels" and more, "how will this affect me?"

Figure 1: Image: Creative Commons License by teadrinker

Image: Creative Commons License by teadrinker

In a report on the incident, researchers at Kaspersky Labs note that the breach was due to malware on the servers they use to process credit cards. The malware captured "track data" -- information on credit cards' magnetic stripes, including the card number, expiration date and internal verification code.

IHG acknowledged that the breaches were active through at least December 29, 2016, though there's no certainty that the malware was eliminated until the breach was investigated in February and March of this year. The hospitality industry as a whole has been hit hard by breaches of this sort; in a blog post on the subject, security researcher Brian Krebs wrote, "Hotel brands that have acknowledged card breaches over the last year after prompting by KrebsOnSecurity include Kimpton Hotels, Trump Hotels (twice), Hilton, Mandarin Oriental and White Lodging (twice). Card breaches also have hit hospitality chains Starwood Hotels and Hyatt."

Some commentators have criticized IHG for the website on which they list the properties known to have been affected by the breach. The location website asks users to walk through a number of drop-down menus in order to find the hotels in a particular city that were hit by the malware. The listing, while complete, can be cumbersome, especially for business travelers who might have stayed in a number of different properties during the time of the attacks.

In the announcement of the breaches, IHG notes that their new payment system makes the type of attack impossible and assures customers that all malware and traces of the attack have been removed from the IHG systems.

— Curtis Franklin, Security Editor, Light Reading. Follow him on Twitter @kg4gwa.

About the Author(s)

Curtis Franklin

Security Editor

Curtis Franklin, Jr. has been writing about technologies and products in computing and networking since the early 1980s. He has contributed to a number of technology-industry publications including Dark Reading, InformationWeek Enterprise Efficiency, ChannelWeb, Network Computing, InfoWorld, PCWorld, and ITWorld.com on subjects ranging from enterprise security to mobile enterprise computing and wireless networking. Curtis is the author of hundreds of articles, the co-author of three books (including Cloud Computing: Technologies and Strategies of the Ubiquitous Data Center), and has been a frequent speaker at computer and networking industry conferences across North America and Europe. When not writing, Curtis is a painter, photographer, cook, and multi-instrumentalist musician. He is active in amateur radio (KG4GWA), scuba diving, stand-up paddleboarding, and is a certified Florida Master Naturalist.

Subscribe and receive the latest news from the industry.
Join 62,000+ members. Yes it's completely free.

You May Also Like