It seems like every day there’s news of another significant data breach, so here’s today’s: An internal investigation by the InterContinental Hotel Group, which owns Holiday Inn, has revealed that guests at more than a thousand of their hotels had their credit card details stolen. The company identified malware on front desk systems used between September 29 and December 29 in 2016, but that malware may not have been erased until the investigation was completed in March 2017.
The malware obtained data from credit cards including cardholders’ names, credit card numbers, expiration dates and security codes.
Back in December, KrebsOnSecurity first reported that experts had identified a pattern of breaches at hotels. In February, IHG told Krebs that it had only identified a dozen affected hotels. The final number, it turns out, was just a bit higher: 1,175 hotels were affected, according to Computerworld, all in the United States and Puerto Rico.
IHG’s lookup tool, which Computerworld accurately calls “ridiculous,” allows users to look up hotels by city and state, making it very hard to get a complete list or look up a large number of hotels, if you travel a lot. The page also contains a caveat that a “small percentage of IHG-branded franchise properties did not participate in the investigation,” which is definitely not enough information.
The company advises customers to contact their bank and “remain vigilant” for fraudulent charges.
This type of fraud, where malware or other means are used to obtain card data and then used without the card itself (known as card-not-present or CNP fraud) increased 40 percent in 2016 according to a study performed by Javelin Strategy & Research. In 2015, Target agreed to a $10 million settlement for a 2013 breach that affected more than 70 million people.