InterContinental Hotels Group has confirmed that front desk payment terminals in at least 1,181 hotel locations nationwide were breached last fall. Malware that successfully stole payment card data was detected between Sept. 29, 2016, and Dec. 29, 2016, at locations accounting for 30 percent of its mostly franchised locations in the Americas.
IHG properties include Holiday Inn, Holiday Inn Express, InterContinental, Kimpton Hotels, Crowne Plaza, Staybridge Suites and Candlewood Suites. While the impact of the breach on financial institutions is as yet unknown, the figures reported by IHG would make this breach one of the largest hotel company data breaches in recent years. While IHG hotels nationwide were affected, the breach primarily affected Holiday Inns and Holiday Inns Express in rural and suburban areas of the South and the Midwest.
Cybersecurity analyst and reporter Brian Krebs, who first broke news about the breach in December, notes that more IHG hotels may be implicated. “[N]ot all property owners have been anxious to take the company up on [IHG’s offer of outside assistance],” he wrote. “As a consequence, there may be more breached hotel locations yet to be added to the state lookup tool.”