Hotels’ credit card info stolen
Holiday Inn chain among those affected
Front desk cash registers at more than 1,200 hotels in the InterContinental Hotels Group, which includes the Holiday Inn, Crowne Plaza and Kimpton chains, were infected with malware that stole customer debit and credit card data between Sept. 29, 2016, and Dec. 29, 2016, the company said.
InterContinental originally said only a dozen properties were affected but has expanded the list. The initial breach was reported in December by security news site KrebsOnSecurity.
The hotel chain has not published a full list of the properties that were affected but instead offered a state-by-state look-up page.
The hotels so far identified are all in the United States and Puerto Rico, but the company is still investigating other properties in the Americas and will update its look-up tool when the investigation is complete, said Neil Hirsch, InterContinental Hotels communications director for the Americas.
Approximately 1,200 franchise hotel locations in the Americas were affected, he said. The company has a network of more than 5,000 hotels in more than 100 countries, so that could mean more than one-fifth of its hotels were affected.
The malware stole information read from the magnetic stripe of a payment card as it traveled through the affected hotel’s server. That information could have included the cardholder’s name in addition to card number, expiration date, and internal verification code. The company doesn’t believe other guest information was affected, it said in its statement.
The company suggests that anyone who stayed at one of its properties during the time period the malware was present review their payment card statement for any unauthorized activity and report the charges to the credit card issuer.