Skip to main content

1,200 InterContinental hotels were breached by credit card stealing malware

1,200 InterContinental hotels were breached by credit card stealing malware

Share this story

If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.

Bob Woolmer Death Investigation Continues
Photo by Matt Cardy/Getty Images

InterContinental Hotels Group said earlier this year that about a dozen of its hotels had been infected with credit-card stealing malware — it turns out, the number was around 100 times that.

The hotel group, which operates Holiday Inn, Kimpton, and several other brands, has now released details on the broader scope of the security breach. “Approximately 1,200 IHG-branded franchise hotel locations in the Americas were affected,” a company spokesperson tells The Verge.

IHG says it doesn’t know how many customers’ information was stolen

And that number could be higher. KrebsOnSecurity, which broke news of this breach back in December, points out that IHG hasn’t inspected all of its hotels yet — some of its hotels are franchises, and it’s been reaching out to those locations asking them to take part in the investigation.

IHG confirmed that the investigation was ongoing in an email to The Verge, saying that a “small percentage” of franchises haven’t participated. The investigation is also still ongoing at some properties that are participating. The group says it has 3,925 hotels in the Americas.

IHG has published a look-up tool to let its guests see if a hotel they stayed at was breached. You can use the tool here. It’s pretty straightforward, presenting a list of affected hotels in whichever city you choose. IHG says it’ll add any additional locations to the list when its investigation wraps up.

The breach started at the end of September 2016 and continued to the end of December 2016, according to IHG. The hotel group says there’s no evidence the malware was active after December 29th, however it’s not positive that all the malware was actually removed until this March.

IHG is just telling affected customers to keep an eye on their bills

So far, IHG says there’s no evidence that the stolen credit card data has been used. But it says that stolen data may include “cardholder name in addition to card number, expiration date, and internal verification code,” which should be more than enough to put them to use.

IHG says it doesn’t know how many customers are affected. And it isn’t currently offering help to those who are affected, either. The company just says that guests should “remain vigilant to the possibility of fraud” by reviewing their card statements, which isn’t exactly a proactive solution.

These massive, chain-wide credit system breaches are increasingly common. Target and Home Depot were both hit with major breaches in the last few years. And KrebsOnSecurity points to limited breaches within Hilton, Hyatt, Starwood, and Trump Hotels, among others, in the recent past, too.