Shoney's Restaurants, IHG Hotels Hit by Credit Card Breaches


A pair of separate credit card breaches were recently confirmed at 37 Shoney's restaurants and at hundreds of InterContinental Hotels Group (IHG) hotels across the United States.

Best American Hospitality Corp. recently acknowledged that payment cards may have been stolen at 37 Shoney's locations it manages and operates between December 27, 2016 and March 6, 2017.

An investigation by Kroll Cyber Security determined that malware installed remotely on point-of-sale (PoS) equipment at the affected Shoney's locations was used to steal cardholder names, card numbers, expiration dates and verification codes.

"In some instances, the malware appears to have identified data from the card's magnetic stripe that included the cardholder name and number, and in other instances the card data identified by the malware did not appear to include the cardholder name," Best American said in a statement [PDF].

"Best American Hospitality Corp. has been working with Kroll Cyber Security, LLC to review its security measures, confirm that this issue has been remediated, and evaluate ways to enhance Best American Hospitality Corp.'s security measures," the company added.

The Importance of Encryption

Gemalto CTO of data protection Jason Hart told eSecurity Planet by email that these types of attacks will inevitably continue until organizations leverage end-to-end encryption to protect payment data. "Breaches are inevitable and companies and IT staff must accept that fact, but that doesn't mean action can't be taken -- they need to secure the breach," he said.

"Doing so requires a data-centric view of threats in which essentially the value of data is made useless to hackers," Hart added. "And that entails better identity and access control techniques, foremost, multi-factor authentication and the use of encryption and key management to secure sensitive data."

Separately, IHG recently announced that PoS devices at hundreds of its franchisee operated properties nationwide were infected with malware designed to steal credit card data (including cardholder names, card numbers, expiration dates and verification codes) between September 26, 2016 and December 29, 2016.

"To ensure and efficient and effective response, IHG hired a leading cyber security firm on behalf of franchisees to coordinate an examination of the payment card processing systems of franchise hotel locations in the Americas region," the company said in a statement.

A list of affected properties is available here.

Protecting Payment Data

"Before this incident began, many IHG-branded franchise hotel locations had implemented IHG's Secure Payment Solution (SPS), a point-to-point encryption payment solution," IHG stated. "Properties that had implemented SPS before September 29, 2016 were not affected."

"On behalf of franchisees, IHG has been working closely with the payment card networks as well as with the cyber security firm to confirm that the malware has been eradicated and evaluate ways for franchisees to enhance security measures," the company added.

IHG first discovered and acknowledged the breach two months ago, but said at the time that it was limited to 12 properties.