International Hotels Group (IHG) recently began notifying guests who used their payment cards at 12 IHG properties between August 2016 and December 2016 that their names, card numbers, expiration dates and verification codes may have been accessed.
Late last year, the company received word of unauthorized charges appearing on credit cards that had been used at IHG properties in North America, and hired cyber security firms to conduct an investigation.
The investigation found that malware was installed on servers used to processed payment cards at restaurants and bars at 12 IHG properties, though cards used at the front desks of those properties were not affected. “An investigation of other properties in the Americas region is ongoing,” the company said.
“IHG has been working with the security firms to review IHG’s security measures, confirm that this issue has been remediated, and evaluate ways to enhance IHG’s security measures,” the company said in a statement. “IHG has notified law enforcement and is working with the payment card networks so that the banks that issue payment cards can be made aware and initiate heightened monitoring on the affected cards.”
The affected hotels are the Crowne Plaza San Jose – Silicon Valley, the Holiday Inn San Francisco Fisherman’s Wharf, the InterContinental Los Angeles Century City, the InterContinental Mark Hopkins, the InterContinental San Francisco, the InterContinental Buckhead Atlanta, the InterContinental Chicago Miracle Mile, the InterContinental The Willard, the Holiday Inn Resort – Aruba, the InterContinental Toronto Yorkville, the InterContinental San Juan Resort & Casino, and the Holiday Inn Nashville Airport.
Moshe Ben-Simon, co-founder and vice president of TrapX Security, told eSecurity Planet by email that cyber criminals are moving aggressively to access as much credit card data as possible before EMV is fully implemented in the U.S. “Between now and 2020 — the window of time required for EMV deployment — card fraud using current methods could cost just the retail industry alone an additional $10 billion,” he said.
“It is quite clear today that cyber thieves will get into your network,” Ben-Simon added. “The issue becomes how quickly you can discover them. New technologies and the best practices that support them can give the hospitality industry better visibility into their internal networks so that they can quickly identify an attack, stop it before data is breached, and return rapidly to normal operations.”
A recent Javelin Strategy & Research survey of 5,028 U.S. consumers found that 6.15 percent of respondents became victims of identity fraud in 2016, a surge of more than 2 million victims and a 16 percent increase over the previous year.
In response to a steady increase in the deployment of EMV cards and terminals, the research found, card-not-present (CNP) fraud surged by 40 percent in 2016.
“After five years of relatively small growth or even decreases in fraud, this year’s findings drive home that fraudsters never rest and when one area is closed, they adapt and find new approaches,” Javelin senior vice president Al Pascual said in a statement. “The rise of information available via data breaches is particularly troublesome for the industry and a boon for fraudsters.”
“To successfully fight fraudsters, the industry needs to close security gaps and continue to improve, and consumers must be proactive too,” Pascual added.
CyberScout chairman and founder Adam Levin told eSecurity Planet by email that the Javelin report highlights the fact that breaches have become the third certainty in life. “In 2017, consumers must become better informed as to the risks inherent in this dangerous digital world, be more alert to the signs of individual compromise and know what to do to contain and reverse the damage or take advantage of identity theft protection services offered by their insurers, employers or financial services firms,” he said.