InterContinental Hotels Group PLC has confirmed that a number of its hotels in the United States and in Puerto Rico were targeted by dedicated and successful cyber-attacks in the latter half of 2016.
Between September 29 and December 29, unnamed hackers stole a large number of customer card details by hacking into IHG's payment servers.
“Although there is no evidence of unauthorised access to payment card data after December 29 2016, confirmation that the malware was eradicated did not occur until the properties were investigated in February and March 2017."
"The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the affected hotel server. There is no indication that other guest information was affected,” said the group via a press release.
Based in the UK, InterContinental Hotels Group PLC has a network of as many as 5,028 hotels across the world, a majority of which operate under franchise agreements. These hotels include the likes of Holiday Inn, Crowne Plaza, InterContinental and Candlewood Suites. The group has published a list of hotels affected by the data breach in the United States and Puerto Rico which you can see here.
The worrying part about the data breach is that it was discovered not by the group's cyber security arm itself, but by the group's card providers. The fact that this isn't the first time that IT infrastructure of hotels have been breached, points to a serious gap between capabilities of hackers and that of such hotels in protecting their secured data.
It is expected that strict adherence to the PCI DSS cyber security standards as well as to the upcoming General Data Protection Regulation (GDPR) will ensure hotels and other large businesses will be able to protect their servers as well as confidential customer data from falling in the hands of professional hackers. The GDPR mandates that erring firms who fail to protect their data will be liable to pay either 4% of their annual worldwide turnover or €20 million, whichever will be higher, as fines.