Credit Card Breach Hits 1,000 Hotels: See If You're Affected

If you stayed at a Holiday Inn, Holiday Inn Express, Kimpton, Crowne Plaza, Indigo, Even, Staybridge, Candlewood or InterContinental hotel in the United States or Puerto Rico last fall, then you may want to check your credit card statements.

The Hamilton Crowne Plaza hotel in Washington, D.C., which was affected by the credit-card breach. Credit: Tim1965/Creative Commons

(Image credit: The Hamilton Crowne Plaza hotel in Washington, D.C., which was affected by the credit-card breach. Credit: Tim1965/Creative Commons)

That's because the parent company of those chains, InterContinental Hotels Group (IHG), revealed yesterday (April 18) that a credit-card breach involved more than 1,000 of InterContinental's 5,000-odd managed, franchised or company-owned properties.

"Malware designed to access payment-card data from cards used onsite at front desks" was in operation "between September 29, 2016 and December 29, 2016," according to an IHG company statement. The malware "searched for track data" — card number, expiration date, verification code and, often, card-holder name — "read from the magnetic stripe of a payment card as it was being routed through the affected hotel server."

MORE: What to Do After a Data Breach

The company added that the malware may have been present, if not in operation, on infected systems until March 2017. Some hotels stopped the malware from working before Dec. 29, 2016.

IHG has posted an interactive tool that lets possible victims search by state and city for hotels they may have frequented. Every state except Hawaii is represented, as well as the District of Columbia. Independent information-security blogger Graham Cluley counted more than 1,170 separate establishments. Concerned customers can also call (855) 330-6367 during business hours.

The Holiday Inn in Spencer, Wisconsin, was apparently not part of the breach. Credit: dcwcreations/Shutterstock

(Image credit: The Holiday Inn in Spencer, Wisconsin, was apparently not part of the breach. Credit: dcwcreations/Shutterstock)

If you find that you stayed at an affected hotel during the card-stealing malware's operation, then you'll want to immediately review your credit-card statements for the past several months. You should also check for recent account transactions on the card issuer's website (using fully patched and up-to-date browsers only, please) or by calling the automated helpline printed on the back of the card.

If you see anything suspicious, call the card issuer and notify a human being who works there immediately. It's rare that a card holder is liable for fraudulent purchases made with a stolen card, but you should cover your bases anyway.

You may not need to worry about identity theft from this breach, however. Credit card thieves are often interested only in reselling or using stolen card numbers to make a quick buck before the cards are blocked. The personal information on a credit-card magnetic stripe is usually limited to the holder's name, if that, and IHG said only data on the magnetic stripe was stolen.

MORE: Identity Theft vs. Credit-Card Theft: What's the Difference?

Ironically, IHG has been trying to get its franchisees to upgrade their card-payment systems to a more secure format that fully encrypts card transactions from the front desk to the bank. Those hotels that had already implemented the new system were not affected by the breach, the company said.

Left unstated was that the theft appeared to affect only payment cards on which the magnetic stripe, a legacy format dating back decades, was used. Presumably, customers who chose to insert their cards into a chip reader, provided one was available, were not affected.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.