InterContinental Hotels Group (IHG) has reported a data breach of guests' payment cards at almost 1,200 U.S. hotels and one Puerto Rico property during the fourth quarter of 2016.
U.K.-based IHG, which oversees about 6,200 hotels worldwide under such brands as Holiday Inn, Holiday Inn Express, Crowne Plaza and InterContinental, had initially reported the breach in February but said at the time that it included just 12 hotels.
The company said that 1,161 franchised hotels might have been affected, which would account for nearly a third of IHG's 3,600 franchised properties in the Americas. IHG's largest brand, Holiday Inn Express, had the most hacked hotels on the list, with 771.
IHG said malware that had infected the system tracked the names of credit card holders, along with their card numbers, expiration dates and internal verification codes. The data came from cards that were run through payment-processing machines at the hotels' front desks.
The breach occurred last year between Sept. 29 and Dec. 29. IHG spokesman Neil Hirsch said last week that the company did not know how many guests might have been impacted. He did not disclose how many guests had complained about credit card data having been compromised.
"On behalf of franchisees, IHG has been working closely with the payment card networks as well as with the cybersecurity firm to confirm that the malware has been eradicated and evaluate ways for franchisees to enhance security measures," IHG said in a statement.
The hospitality industry continues to be a lucrative target for hackers and cybercriminals, who continue to broaden their global impact on businesses. The annual cost of payment-card fraud doubled worldwide between 2012 and 2015, to about $22 billion. It is expected to approach $32 billion by 2020, according to the Nilson Report, a newsletter covering the payment systems industry.
The U.S. accounts for almost 40% of those losses and totals about 13 million victims a year.
Some of the higher-profile payment-card breaches in recent years include Target, which said that the data from as many as 70 million people had been compromised by a breach in 2013, and Home Depot, which the following year estimated that information had been stolen from as many as 56 million customers.
As for the hotel industry, Hilton, Hyatt and Starwood, now owned by Marriott International, have reported data breaches at hotels since 2015.
The Washington-based trade group American Hotel & Lodging Association (AH&LA), which recently broadened its campaign to warn travelers of booking scams by "rogue" third-party websites, declined to comment on the IHG breach, referring questions back to the company.
Brian Krebs, a Virginia-based writer of the KrebsOnSecurity cybersecurity blog, said, "I'd be surprised if there was a credit card used at a hotel within the last year where it wasn't somehow compromised."
From a legal standpoint, experts said that IHG is not directly liable for the breach because it occurred at independently owned and operated franchise properties, not through IHG's global reservation system. Still, Ashton Mozano, chief technology officer at Boulder, Colo.-based cybersecurity software maker Circadence, said the hotelier's reputation will take a hit because travelers associate the breach with the brand parent.
Additionally, Mozano said, the breach illustrates how franchise hotels, especially those in the lower end of price spectrum, are particularly susceptible to cybercrime. About 70% of IHG's hotels are franchised.
In addition to the Holiday Inn Express properties, other IHG properties affected by the breach include some 180 Holiday Inns, 120 Candlewood Suites and more than 50 Staybridge Suites. No data breach has been detected at either an InterContinental or a Kimpton-branded hotel.
"The upper-scale companies used to be a perfect place to attack, but I've seen massive improvement," Mozano said. He added that at lower-price hotels, "there are a lot of people in management positions or franchise owners who just don't realize or appreciate the level of vulnerability that they could be exposed to."
Hirsch said that IHG hotels that had implemented an IHG encryption payment acceptance program called Secure Payment Solution (SPS) prior to last Sept. 29 were not impacted by the malware, and hotels that adopted SPS since then were able to put a stop to the malware's security breaches.
IHG, which has hired a cybersecurity firm to investigate the breach and has contacted law-enforcement officials, said there was no evidence of unauthorized payments after Dec. 29. The company is also urging guests to review their bank statements and report unauthorized charges to card issuers.
Both Krebs and Mozano said that the proliferation of chip-and-pin cards and the resulting growing number of businesses that can process them without a magnetic-card swipe could reduce the frequency of such cyberattacks.
"With a data-chip card, you can't take that data and make it into its own card, or at least not cheaply," said Krebs.
Still, the scale of the IHG breach reflects how many cybercriminals continue to stay a step ahead of both customers and businesses, and some are figuring out ways to pull information off of chip-and-pin cards as well.
"If this was the case in 2001 or 2002, you could understand [the IHG breach]," said Mozano. "But this was 2016. Business owners must be more proactive.