If reports were correct, this was one of the hospitality industry's largest data breaches to date. With nearly 1,200 hotels affected, the breach was large enough to reach out and touch a significant portion of the 61 million IHG stays per year.
First Published 20th April 2017 | Latest Refresh 13th September 2022
"Malware to main reception please."
3 min read | Reflare Research Team
The InterContinental Hotels Group (IHG) - the owner of hotel chains Holiday Inn and Crowne Plaza - issued a Notice of Data Breach stating that roughly 1,200 of its hotels were likely infected with malware aiming to steal credit card data.
The details
The malware allegedly searched front desk computers for card track data (the information read from swiped credit cards) across a 90-day date range. While Payment Card Industry standards discourage it, such data is often stored on local machines for processing. Card track data will commonly contain the card number, CVV and expiry of a credit card.
IHG states that no other information was stolen. It is unclear whether this conclusion is accurate as malware with sufficient access rights to read stored track data would likely also be able to access stored customer names and other personal information.
The statement further explains that hotels implementing their “Secure Payment Solution” system were not affected.
Two factors made this attack possible
For one, most hotel chains operate as franchises, making it difficult to enforce security practices across all locations. In IHG’s case, a secure payment system designed specifically to prevent such attacks was already available. Still, many franchises chose not to adapt it.
For another, the technology behind classical credit cards is ancient by modern IT standards. Critical information is saved on the magnetic strip without any verification or significant security features. Machines capable of copying credit cards are available for well less than $300.
Likewise, even when knowing only the number, expiry and (optionally) CVV of a card, it can often be used online without further authorization. Credit cards were made in a time when security standards were much laxer and have only recently begun to adjust to modern times using hard-to-copy chips on physical cards and additional verification systems such as 3DSecure when shopping online.
As far as we can tell, the behaviour of IHG, in this case, was commendable. They brought in an external security company to analyze the breach, acted reasonably quickly and made a comprehensive statement available to their customers. They further provide a mitigation strategy (Secure Payment Solution) that franchises can - and according to the report do - migrate to.
This is a refreshingly different approach from that taken by the many badly handled security incidents we have analyzed over the past year.
No company is secure from cyber-attacks. Those with legacy systems or franchise structures face an especially tough challenge when trying to secure their infrastructure. When an incident occurs, however, timely and effective handling of the situation is what makes all the difference for brand valuation and customer safety.
The never-ending struggle
On September 7th 2022, IHG announced that they had once again been the victim of a cyber attack. This time around it appears to have been an attack aimed at disrupting reservation and booking-management systems. This is, of course, a wholly different kind of incident than the credit card data theft of 2017. Once again, the company is reacting to the breach by investigating and working with external auditors to maintain both accountability and external validation.
However, this repeated incident serves as a great example. IHG acted appropriately in 2017 to mitigate the breach it experienced then. Assuming that publicly available information is accurate, no further such breaches have taken place since. However, this does not mean that all other elements of the infrastructure are automatically secure. There is no such thing as a linear security slider when it comes to organizational infosec. Each element has to be considered on its own and as a part of the general infrastructure and continuously updated to adapt to rising security standards and threat surfaces.
Even companies that do everything right end up getting hacked repeatedly. However, swift mitigation and sufficient preparation usually limit the damages caused.