InterContinental Hotels reassures clients after payment cards were charged without authorization


The InterContinental Hotels Group (IHG), which also runs the Crowne Plaza hotels, has moved to reassure clients after cyber-criminals allegedly breached payment cards within 12 of the group’s properties in the US.

In a statement, IHG stated that it “values the relationship it has with guests and understands the importance of protecting payment card data.”

“On Dec. 28, 2016, IHG reported it was conducting an investigation after receiving a report of unauthorized charges occurring on some payment cards that were used at a small number of U.S. hotel properties… IHG hired leading cyber security firms to examine the payment card processing systems for the hotels that it manages in the Americas region,” the group said in the statement, adding that based on the investigation, the group “is providing notification to guests who used their payment card at restaurants and bars of 12 company managed properties during the time periods from August 2016 – December 2016.”

The 12 affected IHG properties are listed below:

“Findings show that malware was installed on servers that processed payment cards used at restaurants and bars of 12 IHG managed properties.  Cards used at the front desk of these properties were not affected.  The malware searched for track data (cardholder name, card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the affected server,” IHG added in the statement issued on February 3, 2017.

Currently, IHG is still conducting an investigation of other properties in the Americas region which may have also been affected by the breach.

In the meantime, the group has appealed to its clients to be careful when using their cards to settle payments, noting that “it is always advisable to remain vigilant to the possibility of fraud by reviewing your payment card statements for any unauthorized activity.”

“You should immediately report any unauthorized charges to your card issuer because payment card rules generally provide that cardholders are not responsible for unauthorized charges reported in a timely manner.  The phone number to call is usually on the back of your payment card.  Please see the section that follows this notice for additional steps you may take to protect your information,” added the statement.

“We have been working with the security firms to review our security measures, confirm that this issue has been remediated, and evaluate ways to enhance our security measures.  We have also notified law enforcement and are working with the payment card networks so that the banks that issue payment cards can be made aware and initiate heightened monitoring on the affected cards.”