Intercontinental Hotels Confirms BreachMalware Intercepted Payment Card Data at 12 Hotels' Restaurants and Bars
InterContinental Hotels Group is warning customers that malware infected point-of-sale devices at a dozen of its hotel restaurants and bars in North America and the Caribbean and stole payment card data for up to four months. Affected locations include Michael Jordan's Steak House & Bar in Chicago, the Sky Lounge in Toronto, the Copper Lounge in Los Angeles and the Palm Bar in Aruba.
U.K.-based IHG operates more than 5,000 hotels in nearly 100 countries, including Crowne Plaza, Intercontinental, Kimpton and Holiday Inn properties.
On Dec. 28, 2016, IHG warned that it was investigating a suspected payment card data breach at some U.S. properties. And on Feb. 3, IHG confirmed the breach, warning customers of 12 of its hotel restaurants and bars that their payment card data may have been stolen.
"Findings show that malware was installed on servers that processed payment cards used at restaurants and bars of 12 IHG managed properties," IHG says via a site dedicated to the breach. "Cards used at the front desk of these properties were not affected. The malware searched for track data (cardholder name, card number, expiration date and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the affected server."
The infection periods varied, but most began around Aug. 1, 2016, and concluded by Dec. 15, 2016, the company says.
"We have been working with the security firms to review our security measures, confirm that this issue has been remediated and evaluate ways to enhance our security measures," IHG says. "We have also notified law enforcement and are working with the payment card networks so that the banks that issue payment cards can be made aware and initiate heightened monitoring on the affected cards."
IHG said on Dec. 28, 2016 that it had launched its related investigation "after receiving a report of unauthorized charges occurring on some payment cards that were used at a small number of U.S. hotel properties," and that it hired outside cybersecurity firms to investigate.
IHG declined to comment on the exact firms it hired, what type of malware infected the servers, whether it manages the servers - or if they have been outsourced to a third party - and how many payment card details might have been compromised.
News of the suspected breach was first reported by security blogger Brian Krebs on Dec. 28, 2016, who said some IHG properties - particularly Holiday Inn and Holiday Inn Express locations - seemed to be experiencing unusual levels of fraud.
Warning: 12 Locations Breached
According to IHG's breach notification, five of its locations in California have restaurants and bars that were affected by the breach:
- Crowne Plaza San Jose-Silicon Valley;
- Holiday Inn San Francisco Fisherman's Wharf;
- InterContinental Los Angeles Century City;
- InterContinental Mark Hopkins;
- InterContinental San Francisco.
Restaurants and bars at seven other locations were also affected:
- Holiday Inn Nashville Airport;
- Holiday Inn Resort - Aruba, located on the Dutch Caribbean island;
- InterContinental Buckhead Atlanta;
- InterContinental Chicago Magnificent Mile;
- InterContinental San Juan Resort & Casino in Puerto Rico;
- InterContinental The Willard in Washington;
- InterContinental Toronto Yorkville.
Does Breach Tie to Others?
What's unclear is whether the IHG breach ties to other POS malware infections.
The breach alert from IHG follows an Aug. 31, 2016, alert from Kimpton Hotels & Restaurants, which is owned by IHG. Kimpton, which comprises 62 properties in about 30 U.S. cities, warned customers that their payment card data and names may have been compromised via a POS malware infection that lasted nearly five months.
Kimpton said that all of its properties had been breached in 2016 between Feb. 16 and July 7. The incident was potentially related to a breach reported by hotel management firm HEI, which in August 2016 reported that a POS malware breach had affected 20 locations, some of which it manages for IHG.
That same month, Oracle warned that it had found "malicious code in certain legacy MICROS systems." MICROS, which Oracle acquired in 2014, builds POS software and hardware that Oracle says is used across 330,000 customer sites in 180 countries.
That MICROS warning led Alex Holden, CISO at security and digital forensics firm Hold Security, to investigate other POS vendors. Holden told Information Security Media Group that he'd identified 10 other POS vendors that also appeared to have been compromised, including Cin7, ECRS, NavyZebra, PAR Technology and Uniwell. He reported that "anywhere from 14 GB to 16 GB" of data in total was exfiltrated from the 10 affected POS service providers.
This story has been updated with comment from InterContinental Hotels Group.