InterContinental Hotels Group Faces Significant Data Breach
InterContinental Hotels Group (IHG), the parent company of well-known brands such as Holiday Inn and Crowne Plaza, has reported that malware infiltrated its payment card systems, compromising credit card numbers and other sensitive information across 1,174 franchise hotels in the United States. This incident marks the second significant data breach disclosed by the U.K.-based hospitality giant this year, following a February breach that affected twelve locations.
According to IHG’s announcement, the malware was active from September 29 to December 29, 2016, specifically targeting data from cards utilized at front desk systems. The malicious software was removed after the company concluded its investigation in March 2017. IHG noted that several franchise locations were informed by payment card networks of unauthorized charge patterns occurring after legitimate transactions at these hotels.
The breach involved the acquisition of critical credit card data, including cardholder names, numbers, expiration dates, and internal verification codes. IHG has stated that there is no evidence of unauthorized access to payment card data following late December, although it could not definitively confirm the malware’s removal until early 2017.
While the company has not disclosed the total number of affected customers, it directed individuals to a lookup tool available on its website to check if their hotel stay occurred at one of the impacted properties during the breach period. The majority of the affected hotels are in the United States, with substantial concentrations in states like Texas, California, and Florida. Additionally, only one hotel outside the U.S., a Holiday Inn Express in San Juan, Puerto Rico, was identified as impacted.
Franchise locations that had adopted IHG’s Secure Payment Solution (SPS) prior to September 29, 2016, were unaffected by this breach. The SPS is a point-to-point encryption solution designed to bolster payment security. In light of these events, IHG is urging all franchise hotels to implement SPS to guard against similar malware threats while affirming that many properties have already made this upgrade since the malware activity ceased.
IHG has notified law enforcement about the incident and is actively collaborating with payment card networks and cybersecurity firms to ensure the complete removal of the malware and to enhance security protocols across its franchise locations.
For customers affected by this breach, it is advisable to carefully monitor payment card statements for any unauthorized transactions and to consider requesting new cards, particularly for those who stayed at impacted properties during the breach period. IHG emphasized that assistance can typically be accessed via the phone number on the back of payment cards.
In the broader context of cybersecurity, the attack illustrates common tactics summarized within the MITRE ATT&CK framework, particularly concerning initial access through compromised payment systems. Persistence techniques may have been employed to sustain the malware’s presence, while techniques for privilege escalation could have allowed attackers broader access to sensitive data.
This incident reflects a broader trend in the hospitality sector, reminiscent of breaches reported by other major hotel chains, including Hyatt and Hilton. As businesses increasingly digitize, the risk of cybersecurity threats escalates, making it imperative for organizations to remain vigilant and proactive in securing sensitive customer data.
