INTERCONTINENTAL HOTELS GROUP (IHG), owner of the Holiday Inn and Crowne Plaza hotel chains, has warned customers that hackers have made off with more than soap and ironing boards.
IHG first told customers that a 'dozen' US locations had been infected with credit card-stealing malware back in February, but has this week admitted that things are worse than it first thought.
IHG has admitted that 1,200 of its hotels across the US and Puerto Rico have been hit by the malware, which has grabbed data from cards including cardholders' names, credit card numbers, expiration dates and security codes.
An investigation revealed that the malware had been active at front-desk payment locations at the affected hotels between 29 September and 29 December 2016, IHG said. However, "confirmation that the malware was eradicated did not occur until the properties were investigated in February and March 2017," which means that some hotels might still be at risk.
"The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the affected hotel server," IHG said in a statement on its website.
"There is no indication that other guest information was affected."
IHG added that many of its franchised hotel locations were not affected by the breach because it had implemented Secure Payment Solution (SPS), a point-to-point encryption payment acceptance solution.
The company advises customers to contact their bank and "remain vigilant" for fraudulent charges.
Last year, Hyatt Hotel guests were also warned of credit card-related hacking shenanigans. The hotel admitted that hackers had made off with payment card data from cards used onsite Hyatt-managed locations, primarily at restaurants, between 13 August 2015 and 8 December 2015. µ
Is restoring from backup really the better than prevention?
Allowed anyone to pinpoint locations visited by customers of SVR Tracking
Hackers gained access to systems using unsecured administrator's account
But Canonical's Mark Shuttleworth doesn't agree