The InterContinental Hotels Group (IHG) has confirmed that 12
of its hotels across the Americas suffered a suspected data breach.
The group first reported it was looking into
irregularities at a small number of its properties back in December, an investigation
that was conducted alongside leading cybersecurity firms.
At the center of the investigation was IHG’s
payment card processing systems for hotels across the Americas region. The
Bristol Bar & Grille at the Holiday Inn San Francisco and The Sevens Bar
& Grill at Crowne Plaza San Jose-Silicon Valley were among other locations to fall victim to the data breach.
IHG says it notified guests that had used their
cards at the restaurants and bars of the affected hotels at the time, between
August and December 2016.
It said its findings showed that malware was
installed on servers processing payment cards, and was capable of searching for
track data (name of cardholder, card number, verification code and expiry date)
from the card’s magnetic strip.
While admitting the issue had an impact in many
restaurants and bars, IHG insists machines on the front desks of its sites were
unaffected.
The group has also confirmed it has opened a fresh
investigation into the scale of the breaches – an announcement likely to spark
speculation that there may well be more potential data breach victims than
previously believed.
In the meantime, the group has urged consumers
to be “vigilant” and to “immediately report any unauthorized charges to your
card issuer”.
In a press release, the company added: “We have
been working with the security firms to review our security measures, confirm
that this issue has been remediated, and evaluate ways to enhance our security
measures.”
While the group will undoubtedly hope to reassure
customers, the news is nevertheless likely to add fuel to the debate of whether
organizations are doing enough to promote data security.
A report conducted by the Internet Society in November found
suggested there is a worrying lack of investment in information security, despite
the potential damage it can cause to reputation.