[BreachExchange] If you've stayed at a Holiday Inn you may have lost more than a good night's sleep (like maybe your bank card)

Thu Apr 20 19:09:35 EDT 2017

https://www.theregister.co.uk/2017/04/19/intercontinental_
hotels_group_malware/

In February, Intercontinental Hotels Group alerted customers that some of
its US locations had been infected with credit-card-stealing malware. Now
it has admitted the cyber-outbreak is much worse than first thought.

IHG, which owns brands like Holiday Inn and Crown Plaza, has warned that
around 1,200 of its hotels across the US and Puerto Rico have been hit by
the same sales terminal malware – which grabs card data from the computers'
memory as payments are made. This information is then siphoned off to
crooks to use online and create cloned cards. The infections were spotted
on September 29, 2016 but the infections weren't cleared up until March
2017, and some hotels might still have a problem.

"The malware searched for track data (which sometimes has cardholder name
in addition to card number, expiration date, and internal verification
code) read from the magnetic stripe of a payment card as it was being
routed through the affected hotel server," IHG said today. "There is no
indication that other guest information was affected."

The hotelier said that many of its locations were unaffected because they
had installed a security mechanism called Secure Payment Solution that
blocked the spyware from reading off sensitive card data – however, many
hotels hadn't gotten the system up and running in time.

Since it is a franchise operation it's up to the hotel owner to install the
more secure system, and there are worries that not all of them have the
system installed even now.

IHG has set up a web page with a full list of affected hotels, and it's a
very long list. The conglomerate isn't offering any kind of identity theft
support, as is usual in such cases. Instead it's just telling customers to
check their credit card statements.

That lack of customer support could turn around and bite IHG in the
backside if the expected credit card fraud is widespread. The US is, after
all, the land of the lawsuit, and lawyers are no doubt salivating at the
chance to launch a class action suit against some of the best-known hotel
brands in the country.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170420/ffcc758d/attachment.html>