Weissblick - Fotolia
UK headquartered hotel group InterContinental Hotels (IHG) has revealed the extent of malware on its network that could have been used to access the payment card details of US customers in 2016, and has notified customers in the affected Americas region.
The investigation, by an independent cyber security firm commissioned by IHG, revealed that there was signs of malware at 1,200 IHG-branded franchise hotels in the Americas for three months between September and December 2016. IHG admitted that the malware was not “eradicated” until February and March 2017.
IHG works on a franchise basis and it does not own any of its properties. The hotels hit by the malware were in the US, with one in Puerto Rico.
“On behalf of franchisees, IHG has been working closely with the payment card networks, as well as with the cyber security firm, to confirm that the malware has been eradicated and to evaluate ways for franchisees to enhance security measures. Law enforcement has also been notified,” said an IHG statement.
“The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the affected hotel server,” said IHG, adding that there is no evidence that other guest information was affected.
The company said franchises that were using the group’s point-to-point encrypted payment acceptance system, known as IHG Secure Payment Solution, before the time the malware has been tracked back to were not affected.