InterContinental data breach expands from 12 to 1,200 hotels

Updated: The data breach is far more damaging than the 12 properties originally believed to have been compromised.
Written by Charlie Osborne, Contributing Writer

InterContinental Hotels Group (IHG) has released new information on a data breach that shows the cyberattack's consequences are far worse than originally believed.

In February, the hotel chain parent company, which includes brands such as Crowne Plaza, Holiday Inn, Candlewood Suites, and Kimpton Hotels and Resorts, among others, admitted to a data breach first discovered in late December last year.

The company first asserted that the compromise was rather minor, having only impacted 12 IHG-managed properties.

However, IHG immediately called in reinforcements in the form of cybersecurity professionals to investigate the problem. The team discovered that attackers were able to install malware on the servers that the hotels' payment card processing systems relied upon, which in turn slurped up information contained in credit card tracks such as cardholder names, card numbers, and internal verification codes -- all of which could be used to clone cards and make fraudulent payments.

Customers affected were notified, and this appeared to be the end of the issue.

However, IHG has quietly released additional information relating to the breach, and it's not pretty.

Rather than affecting only 12 properties and their bars and restaurants, IHG said in a statement that the malware was "designed to access payment card data from cards used onsite at front desks" at properties between Sept. 29, 2016, and Dec. 29, 2016.

"Although there is no evidence of unauthorized access to payment card data after Dec. 29, 2016, confirmation that the malware was eradicated did not occur until the properties were investigated in February and March 2017," the hotel chain added.

Based on a new search tool, which allows customers to check their own stay state-by-state, the sheer number of properties now numbers in the thousands.

Speaking to ZDNet, an IHG spokesperson confirmed that 1,200 IHG-branded franchise hotel locations are also now included in the breach.

The hotel chain is also offering franchised properties free computer forensic help and is pushing locations to implement the firm's Secure Payment Solution (SPS), which encrypts cardholder information.

IHG is working with payment card networks as well as with cybersecurity experts to confirm that the malware has been eradicated from each location, and law enforcement has also been notified.

See also: This tiny $6 gadget lets you break into hotel rooms

"Before this incident began, many IHG-branded franchise hotel locations had implemented IHG's Secure Payment Solution (SPS), a point-to-point encryption payment acceptance solution," IHG said. "Properties that had implemented SPS before September 29, 2016, were not affected."

"Many more properties implemented SPS after September 29, 2016, and the implementation of SPS ended the ability of the malware to find payment card data and, therefore, cards used at these locations after SPS implementation were not affected," the company added.

IHG is far from the only company in the hospitality industry to be targeted for valuable customer information. Last year, Hyatt Hotels admitted that 250 properties in 54 countries had been infected with information-stealing malware.

Update 12.41 GMT: Statement from IHG spokesperson.

Employees will hand over work passwords to hackers for money

How to lock up your digital life and privacy in an hour (in pictures)

Editorial standards