The company behind the Holiday Inn and Crowne Plaza hotel brands has admitted a security breach at almost 1,200 of its locations. The InterContinental Hotels Group (IHG), based in the UK, announced that payment card-stealing malware was present at front desks in the US and Puerto Rico between September 29 and December 29, 2016–and that customers should “closely monitor their payment card statements.”
“Payment card network rules generally state that cardholders are not responsible for such charges,” a spokeswoman added, in a conversation with the BBC. IHG says it only eradicated the hacking threat last month, meaning that hundreds of thousands of guests’ accounts may be compromised.
The malware lifted information from credit cards’ magnetic strips as they were being used at IHG front desks. This could include card numbers, verification codes and expiry dates. The company, which runs over 5,000 hotels in 100 countries, has launched a site where customers can check whether they are a victim of the attack.
Some security experts claim the extent of the hack has not yet been fully discovered, and warn there could be many more announcements to follow. IHG has said that not all its franchises were included in its own investigation, and that customers should check back periodically in case a location at which they have stayed is added.
“It’s not clear at this point what type of malware was used to both search for track data or infiltrate other networks,” says Liviu Arsene, Senior E-Threat Analyst at Bitdefender. “It’s entirely possible that the malware could have had some other components that we’re not aware of, potentially involving dissemination or persistency techniques. Until more information about the actual piece of malware become available, it’s difficult to estimate the full extent of the breach.”
IHG has previously suffered breaches at POS terminals at its bars and restaurants, while the hotel industry at large–including brands such as Hyatt and Trump Hotels–has of late become a favored stomping ground for hackers.
The US’ late adoption of chip-and-PIN payments is another major factor in security breaches, the BBC reports. Arsene disagrees. “If the malware had indeed had the ability to manipulate POS devices, then it could have probably been sufficiently advanced to intercept chip-and-PIN payments,” he says.