- InterContinental Hotels Group (IHG) revealed Wednesday that a data breach impacted more than 1,000 properties across the U.S. and in Puerto Rico. First disclosing a breach in February, IHG said at the time only 12 properties were impacted.
- IHG said in a statement that attackers were able to install malware "designed to access payment card data from cards used onsite at front desks" at properties between September 29 and December 29, 2016. Breached data including cardholder names, card numbers and internal verification codes were compromised.
- IHG found out about the breach after banks alerted the company of a multitude of unauthorized charges on payment cards after they were used at IHG locations. The hotel group operates more than 5,000 hotels across nearly 100 countries. The company’s brands include Candlewood Suites, Holiday Inn, Holiday Inn Express, InterContinental, Kimpton Hotels and Crowne Plaza.
Hotels are a favorite target for hackers. Many hotels are behind the times in implementing modern security practices and technologies. IHG did say it is pushing locations to implement the firm's Secure Payment Solution, which encrypts cardholder information. Travelers are also a good target for hacking because people who are traveling don’t necessarily see unauthorized charges immediately.
IHG falls into a line of other hotels targeted by cybercriminals. In January, hundreds of guests at a 4-star hotel in Austria were locked out of their rooms after the hotel was hit with ransomware. Hackers reportedly breached the hotel’s electronic key system and prevented the system from working.
And in November, Starwood Hotels & Resorts Worldwide reported that payment systems at 54 of its hotels in North America had been infected with malware. Around the same time, Hilton Worldwide Holdings also revealed that it was investigating possible cyberattacks.
Cybercriminals don't exactly go out on a limb when looking for their next target. Many cyberattacks are about ease of access, as well as ROI. IHG was caught in a vulnerable position and later had to disclose additional breaches.