InterContinental Hotels Group Card Data Hack
The InterContinental Hotels Group (IHG) - owner of hotel chains Holiday Inn and Crowne Plaza - issued a Notice of Data Breach earlier this week. It states that roughly 1200 of its hotels were likely infected with malware aiming to steal credit card data.
The malware allegedly searched front desk computers for card track data (the information read from swiped credit cards). While PCI standards discourage it, such data is often stored on local machines for processing. Card track data will commonly contain the card number, CVV and expiry of a credit card. The attacks happened between September 29th 2016 and December 29th 2016.
IHG states that no other information was stolen. It is unclear wether this conclusion is accurate as malware with sufficient access rights to read stored track data would likely also be able to access stored customer names and other personal information.
The statement further explains that hotels implementing their “Secure Payment Solution” system were not affected.
Two factors made this attack possible.
For one, most hotel chains operate as franchises, making it difficult to enforce security practices across all locations. In IHG’s case, a secure payment system designed specifically to prevent such attacks was already available. Still, many franchises chose not to adapt it.
For another, the technology behind classical credit cards is ancient by modern IT standards. Critical information is saved on the magnetic strip without any verification or significant security features. Machines capable of copying credit cards are available for well less than $300.
Likewise, even when knowing only the number, expiry and (optionally) CVV of a card, it can often be used online without further authorization. Credit cards were made in a time when security standards were much laxer and have only recently begun to adjust to modern times using hard-to-copy chips on physical cards and additional verification systems such as 3DSecure when shopping online.
As far as we can tell, the behavior of IHG in this case was commendable. They brought in an external security company to analyze the breach, acted reasonably quickly and made a comprehensive statement available to their customers. They further provide a mitigation strategy (Secure Payment Solution) that franchises can - and according to the report do - migrate to.
This is a refreshingly different approach from that taken by the many badly handled security incidents we have analyzed over the past year.
No company is secure from cyber attacks. Those with legacy systems or franchise structures face an especially tough challenge when trying to secure their infrastructure. When an incident occurs however, a timely and effective handling of the situation is what makes all the difference for brand valuation and customer safety.