If you stayed at a Holiday Inn, Holiday Inn Express, Kimpton, Crowne Plaza, Indigo, Even, Staybridge, Candlewood or InterContinental hotel in the United States or Puerto Rico last fall, then you may want to check your credit card statements.
That's because the parent company of those chains, InterContinental Hotels Group (IHG), revealed yesterday (April 18) that a credit-card breach involved more than 1,000 of InterContinental's 5,000-odd managed, franchised or company-owned properties.
"Malware designed to access payment-card data from cards used onsite at front desks" was in operation "between September 29, 2016 and December 29, 2016," according to an IHG company statement (opens in new tab). The malware "searched for track data" — card number, expiration date, verification code and, often, card-holder name — "read from the magnetic stripe of a payment card as it was being routed through the affected hotel server."
The company added that the malware may have been present, if not in operation, on infected systems until March 2017. Some hotels stopped the malware from working before Dec. 29, 2016.
IHG has posted an interactive tool that lets possible victims search by state and city for hotels they may have frequented. Every state except Hawaii is represented, as well as the District of Columbia. Independent information-security blogger Graham Cluley (opens in new tab) counted more than 1,170 separate establishments. Concerned customers can also call (855) 330-6367 during business hours.
If you find that you stayed at an affected hotel during the card-stealing malware's operation, then you'll want to immediately review your credit-card statements for the past several months. You should also check for recent account transactions on the card issuer's website (using fully patched and up-to-date browsers only, please) or by calling the automated helpline printed on the back of the card.
If you see anything suspicious, call the card issuer and notify a human being who works there immediately. It's rare that a card holder is liable for fraudulent purchases made with a stolen card, but you should cover your bases anyway.
You may not need to worry about identity theft from this breach, however. Credit card thieves are often interested only in reselling or using stolen card numbers to make a quick buck before the cards are blocked. The personal information on a credit-card magnetic stripe is usually limited to the holder's name, if that, and IHG said only data on the magnetic stripe was stolen.
Ironically, IHG has been trying to get its franchisees to upgrade their card-payment systems to a more secure format that fully encrypts card transactions from the front desk to the bank. Those hotels that had already implemented the new system were not affected by the breach, the company said.
Left unstated was that the theft appeared to affect only payment cards on which the magnetic stripe, a legacy format dating back decades, was used. Presumably, customers who chose to insert their cards into a chip reader, provided one was available, were not affected.