The BBC has reported that Holiday Inn hotels was hit by card payment system hack stating, “The owner of the Holiday Inn and Crowne Plaza hotel brands has disclosed that payment card-stealing malware has struck about 1,200 of its franchisees’ properties.” All but one hotel were in the USA (one lone hotel in Puerto Rico was hit). The article commented that “The US has been slower to switch to a chip-and-pin system than many other countries, which makes it more difficult to carry out such attacks.” The attack hijacked information taken from the payment cards’ magnetic strips as it was being routed through the hotels’ computer servers. Magnetic strips are simply not secure and that is why Europe switched to the new chip cards while the USA has lagged behind switching over. We reported previously about the reluctance of merchants to switch over to the new chip card machines in our post about how Apple Pay is superior to the chip card. If you stayed in a Holiday Inn, Crowne Plaza, Hotel Indigo or Candlewood Suites hotel between 29 September and 29 December 2016 you should check your credit card statements for any additional or unauthorized charges.
The parent company, Intercontinental Hotels Group (IHG), has published a tool for visitors to check if hotels they stayed at are among those affected, as well as, offering its franchised properties a free examination by an outside computer forensic team and stated, “”But not all property owners have been anxious to take the company up on that offer. As a consequence, there may be more breached hotel locations yet to be added to the state look-up tool.”
Krebs on Security points out that this is just the tip of the iceberg and reports, “Card-stealing cyber thieves have broken into some of the largest hotel chains over the past few years. Hotel brands that have acknowledged card breaches over the last year after prompting by KrebsOnSecurity include Kimpton Hotels, Trump Hotels (twice), Hilton, Mandarin Oriental, and White Lodging (twice). Card breaches also have hit hospitality chains Starwood Hotels and Hyatt. In many of those incidents, thieves planted malicious software on the point-of-sale devices at restaurants and bars inside of the hotel chains. Point-of-sale based malware has driven most of the credit card breaches over the past two years…”