InterContinental Hotel Chain Breach Expands

Share Button

Atlanta GA ( According to, in December 2016, KrebsOnSecurity broke the news that fraud experts at various banks were seeing a pattern suggesting a widespread credit card breach across some 5,000 hotels worldwide owned by InterContinental Hotels Group (IHG). In February, IHG acknowledged a breach but said it appeared to involve only a dozen properties. Now, IHG has released data showing that cash registers at more than 1,000 of its properties were compromised with malicious software designed to siphon customer debit and credit card data.

In a Statement the company said “IHG values the relationship we have with our guests and understands the importance of protecting payment card data.  Many IHG-branded locations are independently owned and operated franchises, and certain of these franchisee operated locations in the Americas were made aware by payment card networks of patterns of unauthorized charges occurring on payment cards after they were legitimately used at their locations.  To ensure an efficient and effective response, IHG hired a leading cyber security firm on behalf of franchisees to coordinate an examination of the payment card processing systems of franchise hotel locations in the Americas region.

When contacted by, John Christly, Global CISO, Netsurion, a provider of managed security services for multi-location businesses, and EventTracker, its SIEM subsidiary stated,  “Hospitality companies must realize that they are in a digital war with cybercriminals that are after payment card data. And it’s a harsh reality that the war is being won far too often by these hackers.

Hotels are generally more at risk for POS breaches because payment card data is used throughout each hotel location—most have multiple POS terminals. Plus card info is shared with the hotel before the guest even arrives through the booking process. All of this gives cybercriminals multiple opportunities and points of entry for the hacks.

Another concern is that franchisees frequently have access to regional, national, and global data systems from the world’s best known brands. So breaches can affect all or many of the individual franchisees, as well as corporate systems if even one system is breached.”

The investigation identified signs of the operation of malware designed to access payment card data from cards used onsite at front desks for certain IHG-branded franchise hotel locations between September 29, 2016 and December 29, 2016.   Although there is no evidence of unauthorized access to payment card data after December 29, 2016, confirmation that the malware was eradicated did not occur until the properties were investigated in February and March 2017.  Before this incident began, many IHG-branded franchise hotel locations had implemented IHG’s Secure Payment Solution (SPS), a point-to-point encryption payment acceptance solution.  Properties that had implemented SPS before September 29, 2016 were not affected.  Many more properties implemented SPS after September 29, 2016, and the implementation of SPS ended the ability of the malware to find payment card data and, therefore, cards used at these locations after SPS implementation were not affected.

The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the affected hotel server. There is no indication that other guest information was affected.  A list of affected IHG franchise locations and respective time frames, which may vary by location, is available here.

A.N. Ananth, CEO, EventTracker, a co-managed SIEM provider commented that “Hotels need multiple security technologies to prevent malicious attacks. A managed firewall is essential, blocking dangerous traffic from coming onto the network and preventing sensitive data from being exfiltrated, or sent, to the hackers. File Integrity Monitoring (FIM), Unified Threat Management (UTM), and Security Information and Event Management (SIEM) should also be considered.  FIM is a process that validates the integrity of an operating system, or any software, by constantly monitoring the current state of the file and comparing it with a baseline file that hasn’t been compromised.  UTM, on the other hand, is a process in which a live administrator can monitor and manage security-related infrastructure through a single dashboard.

SIEM is a key technology in a company’s security stack that should be considered vital, but is often difficult for smaller hotels or branch locations to manage effectively. Summed up, it is responsible for ingesting the logs generated by all the systems and devices in the infrastructure, and then sorting through them. Anything from a firewall, to a server, to a POS system that creates log data is analyzed by the SIEM. The log data is fed into the SIEM and then evaluated against a previously created ruleset in order to determine if there any anomalies – unusual activity that can indicate an attack – and then generates red flags for those that need to be brought to the IT staff’s attention. The SIEM can prioritize these anomalies, categorize them, and finally generate alerts for the future based on their findings.

For the best outcome, these advanced toolsets should be outsourced to a managed security firm specializing in this type of service—which includes expert threat researchers that constantly look for new activity that could point to a hacker trying to steal data from your systems. If used correctly, hotels can see anomalies that could lead to breaches prior to any damage being done—allowing them to halt hackers in their tracks.”


About the Author