InterContinental Hotels Group has confirmed that they had been breached a second time which has affected more than 1,000 hotels and restaurants. This involves Crowne Plaza as victims of this breach and includes hotels and restaurants.
On their websites, there is a notice published last Friday that the company has encountered a second breached and had occurred on at least 12 hotels between Sep and December last year. IHG has said that there has been no evidence that payment card data had been accessed after that point, but was unable to confirm that it has been fully eradicated until a few months later around February/March 2017.
A lot of payment card malware schemes have been circulating out there. These breaches and infections are designed to gather and track data of card numbers, expiration date including verification codes from the magnetic strip of the said cards since the data were routed through affected hotel servers.
Between August and December 2016, the first breach had occurred. It all originated from malware found from servers used to process credit cards. The said breach affected the hotels, along with bars, restaurants and hotels which includes Michael Jordan’s Steak House and Bar at InterContinental Chicago and the Copper Lounge at InterContinental Los Angeles.
It was not disclosed how many properties were affected by the newer breach. However, customers can use a lookup tool the company has posted on its site to search for hotels in select states and cities. IHG gives a timeline for each property and says hotels listed on the tool “may have been affected.”
A cursory review of hotels in the lookup tool suggests far more than a dozen – more than a thousand – hotels, were affected by the malware.
Investigation is still ongoing and the said tool may be updated regularly. Some properties, for a reason not disclosed, elected to not participate in the investigation, IHG said.
The company operates 5,000 plus hotels worldwide, however, the breach has mainly affected US based companies. Although, there has been an exception since a hotel in Puerto RAico, a Holiday Inn Express in San Juan got hit by malware this time.
A point-to-point encryption payment solution has been developed and implemented. This technology has been designed to prevent malware from scouring systems for payment card data. It has been said that the one that got affected by the malware are the ones that have not implemented the encryption technology.
The company said it began implementing a point-to-point encryption payment solution – technology that can reportedly prevent malware from scouring systems for payment card data last fall. The hotels that were hit by this particular strain of malware had not yet implemented the encryption technology, IHG claims.
The news comes as an IHG subsidiary, boutique hotel chain Kimpton, is fighting a class action court case that alleges the company failed to take adequate and reasonable measures to protect guests payment card data.
The chain said it was investigating a rash of unauthorized charges on cards used at its locations last summer. It eventually confirmed a breach in late August that involved cards used from Feb. 16, 2016 and July 7, 2016 at nearly all of its restaurants and hotels.
Bloomberg reported Monday that Lee Walters, the plaintiff in the case against Kimpton, failed to plead all relevant factors. The judge overseeing the case, Judge Vince Chhabria of the U.S. District Court for the Northern District of California, dismissed California state fraud claims last week. Chhabria is allowing claims of implied contract, negligence, and California unfair business practices to continue however.