The InterContinental Hotels Group (IHG) has admitted that malware was found on systems used to process credit cards at bars and restaurants at 12 of its hotels in North America and the Caribbean.
Although the firm, which is the parent company of Holiday Inn, Crowne Plaza and Kimpton Hotels, did not say how many cards are affected, it confirmed on Friday that the malicious code had been found on some servers.
It had previously reported on December 28th that it was investigating after receiving reports of unauthorised charges to payment cards that were used at “a small number of US hotel properties”.
“Based on the investigation, IHG is providing notification to guests who used their payment card at restaurants and bars of 12 company-managed properties during the time periods from August 2016 to December 2016 identified below,” it said in a statement along with a list of affected locations, adding that an investigation of other American properties is ongoing.
“Findings show that malware was installed on servers that processed payment cards used at restaurants and bars of 12 IHG-managed properties. Cards used at the front desk of these properties were not affected.
“The malware searched for track data (cardholder name, card number, expiration date and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the affected server.”
IHG advised customers to monitor their bank accounts for unusual activity and contact the authorities if they believe they have been affected. It added it was working with cyber security experts to bolster its security.
Point of sale malware has hit the headlines multiple times in recent years – perhaps most notably in the case of the 2014 Target breach – as it has been utilised by cyber criminals to steal consumers’ financial information.