The InterContinental Hotels Group (IHG) has confirmed that 12 of its hotels across the Americas suffered a suspected data breach.
The group first reported it was looking into irregularities at a small number of its properties back in December, an investigation that was conducted alongside leading cybersecurity firms.
At the center of the investigation was IHG’s payment card processing systems for hotels across the Americas region. The Bristol Bar & Grille at the Holiday Inn San Francisco and The Sevens Bar & Grill at Crowne Plaza San Jose-Silicon Valley were among other locations to fall victim to the data breach.
IHG says it notified guests that had used their cards at the restaurants and bars of the affected hotels at the time, between August and December 2016.
It said its findings showed that malware was installed on servers processing payment cards, and was capable of searching for track data (name of cardholder, card number, verification code and expiry date) from the card’s magnetic strip.
While admitting the issue had an impact in many restaurants and bars, IHG insists machines on the front desks of its sites were unaffected.
The group has also confirmed it has opened a fresh investigation into the scale of the breaches – an announcement likely to spark speculation that there may well be more potential data breach victims than previously believed.
In the meantime, the group has urged consumers to be “vigilant” and to “immediately report any unauthorized charges to your card issuer”.
In a press release, the company added: “We have been working with the security firms to review our security measures, confirm that this issue has been remediated, and evaluate ways to enhance our security measures.”
While the group will undoubtedly hope to reassure customers, the news is nevertheless likely to add fuel to the debate of whether organizations are doing enough to promote data security.
A report conducted by the Internet Society in November found suggested there is a worrying lack of investment in information security, despite the potential damage it can cause to reputation.
by Narinder Purba, ESET We Live Security