News reports have confirmed that hospitality giant, InterContinental Hotels Group (IHG), recently suffered a serious data breach, with hackers stealing the payment card data from over one-thousand of its properties.
The group originally thought just twelve hotels had been affected, until an investigation proved otherwise.
Of the 5,000 properties IHG operates worldwide, around 1,175 are thought to have been targeted with malware designed to steal information from the magnetic stripe on guest payment cards.
What happened exactly?
IHG have undertaken their own investigation, which completed in March. They discovered that malware had been running on hotel front desk systems between September 29 and December 29, 2016.
The malware showed no sign of activity beyond December 29th last year, but the group wasn’t able to remove it until after the investigation this March.
In a statement on their website, the hotel chain confirmed that the breach was widespread: "Many IHG-branded locations are independently owned and operated franchises and certain of these franchisee operated locations in the Americas were made aware by payment card networks of patterns of unauthorized charges occurring on payment cards after they were legitimately used at their locations”.
What kind of data was stolen?
Because the malicious software was designed to steal data directly from the magnetic stripe of guest payment cards, it’s likely information such as the cardholder name, sixteen-digit number, expiration date and internal verifications codes will have been accessible by hackers.
How many people have been affected?
As with most data breaches, the exact number of people directly affected by the attack is unclear.
In fact, IHG haven’t released any indicative numbers, but they have created a lookup tool which can be used to find out the exact hotels that were infected and the duration the malware was active.
Currently, there are three countries listed - the United States, Canada and Puerto Rico, but the tool allows you to choose individual states within each.
What is IHG doing?
IHG has notified law enforcement of the data breach and the speed with which they’ve implemented the aforementioned lookup tool demonstrates an admirable desire to be completely transparent about the breach.
IHG is also working closely with payment card networks and cyber security firms in order to confirm that the malware has been completely removed. It’s understood that measures are underway to ensure individual IHG properties are better protected against such attacks.
What can independent hoteliers learn from this data breach?
As is often the case with headline-grabbing news, the eye is in the detail, and if you dig deeper, you discover that IHG franchise hotels running the group’s Secure Payment Solution (SPS) were not affected by the data breach.
SPS is a point-to-point encrypted payment acceptance solution which enables the safe transportation of guest payment card details. Clearly, it did it’s job in this case, by preventing the malware from accessing the precious personal data it was after.
The lesson, therefore, is a relatively simple one: if you run a hotel, it’s vital that you understand the implications of running insecure payment systems. There’s no escaping the fact that we live in a world rife with cyber crime, and businesses must do all they can to protect their customer’s data.
By implementing a PCI DSS compliant payment solution, you’ll ensure your hotel is as prepared as it can be for any form of data breach designed to steal payment card information.
Despite this, many hotels continue to circumnavigate rules that are deemed too confusing. This is often the case for hoteliers who have been in receipt of an eighteen-page PCI questionnaire full of acronyms, payment card jargon and queries that demand a degree in network administration.
We’d like to help, which is why we’re holding a free webinar on 8th May that will uncover the truths and debunk the myths surrounding the requirements for handling payments within the hotel industry. Join us, and you’ll gain the chance to quiz industry experts on all things PCI DSS-related:
[/fusion_text][button link="http://welcome-anywhere.co.uk/pci-webinar/" color="default" size="" type="" shape="" target="_self" title="" gradient_colors="|" gradient_hover_colors="|" accent_color="" accent_hover_color="" bevel_color="" border_width="1px" shadow="" icon="" icon_position="left" icon_divider="no" modal="" animation_type="0" animation_direction="left" animation_speed="1" alignment="" class="" id=""]REGISTER FOR WEBINAR[/button]