A breach on the card payment systems of a major hotel chain are larger than expected. In February 2017 it was reported that the InterContinental Hotel Group had experienced breaches on 12 of its hotels. IHG are now reporting that many more such breaches at its locations, possibly upwards of a 1000.
The hotel giant has released a finder tool on its website listing all of the affected IHG locations. The tool shows 50 US states and one location in Puerto Rico. While the full number has not yet been counted, Brian Krebs, the investigative journalist who first broke the story, reckons that there could be more than 1000 locations affected.
IHG runs over 5000 hotels across 100 countries and plenty of brands including Holiday Inn and Crowne Plaza hotels, making it a major hotelier.
A statement released on the hotel's website says that the malware, which infected the hotels' card payment systems, was identified between 29 September and 29 December 2016.
The statement adds that “there is no evidence of unauthorised access to payment card data” after 29th December, it still took until March 2017 to ensure that the malware had been completely expunged from the systems.
The company's statement notes that many IHG locations had implemented “a point to point encryption payment” solution. Those that had done so before September 2016, were not affected by the breach and many more did so after the breach. The implementation of the solution effectively ended the ability of the malware to steal data.
Steve Armstrong, principal consultant at Logically Secure has a couple of ideas about how attackers could have gotten in. However, he told SC Media UK, “the crux of this compromise is that Point of Sale devices were able to either directly connect to any part of the internet or were able to pivot through other internal systems that had uncontrolled internet connections.”But adds Armstrong, “I have yet to see a hotel that is running modern operating system and guest management or in-room entertainment applications. Old operating systems and clunky guest management programmes are common to many chains, and fill me with dread when I check in. However, while credit card companies continue to absorb the compromise and fraud costs from these breaches, there is no real incentive for hotels or other groups to update and improve.”