Last December Brian Krebs reported that banks said that there was a pattern of credit card fraud centered around the hotels of the Intercontinental Hotel Group, IHG. IHG owns Holiday Inn, Crowne Plaza and Intercontinental, among many other brands.
At the time, IHG said that it only affected a dozen hotels or so. IHG owns about 5,000 hotels. Now four months later, IHG says that the breach affected over 1,000 hotels. And still counting.
The breach affected front desk computers, which is unusual. Typically, the credit card breaches hit the hotel restaurants and bars which are often outsourced to a third party and out of the hotel’s control even though they still get blamed for it.
This time, the breach is hitting the front desk. While only some patrons eat at the hotel restaurant or drink at the bar, almost everyone give the front desk a credit card, even if it is just for “incidentals”. That is what makes this breach nasty.
One good piece of news is that they say that the breach only ran from September 29 to December 29 of last year. But they also said it only affected a dozen hotels, so consider the source.
They are saying that this only affecting franchised hotels, but they are having a bit of a challenge. They are offering to pay for the forensics to check the franchisee’s computers but many of the franchisees are telling them to bug off (or something like that).
As of yesterday, Krebs is saying that of the 1,175 hotels that have been identified so far, 781 are Holiday Inn Express properties, so if you stayed at a Holiday Inn Express late last year, watch your credit cards.
Given that some number of franchisees are not cooperating, the number of affected hotels may continue to rise.
The only thing that IHG has said is that the malware is looking for the credit card data as it transits the hotel server. That means that the hotel is not encrypting the data at the point of collection. Bad Hotel! If they had done that, this likely would not be an issue.
If you watch your credit card transactions and report the theft quickly, you have limited liability ($50). For debit cards, which luckily are used much less frequently at hotels, the window for reporting the fraud is much shorter, so the key thing for you to do is watch your debit card charges and if anything strange appears, report it immediately.
Unfortunately, until businesses get serious about credit card security, we are going to see these breaches on a regular basis. Just recently, Brian has reported about breaches at Shoneys and Gamestop in addition to this IHG breach.
IHG is not reporting numbers regarding the size of the breach, but we could speculate. If the breach was active for 90 days and if each hotel swiped just 50 credit cards a day (which seems low), then 90 x 50 x 1175 = 5.2 million cards. Maybe they will tell us at some time, but right now we are guessing.
Now for the other side of the story.
If you are collecting credit card information, you should be using a chip card enabled credit card reader (remember that many hotels have a credit card reader integrated with the checkin system and they swipe your card instead of dipping it. That is the root of the problem. With the new style readers the data is encrypted as it is collected and the hotel does not have access to the unencrypted data. This means that hackers have to physically compromise the credit card reader. This likely cannot be easily done remotely, meaning that the bad guys are just going to go elsewhere.
For online businesses or other card not present transactions (like over the phone), if you can, enter the data directly into the bank’s web site and do not store or save the data locally. If you don’t save it, hackers can’t steal it. The bank will give you an ID number and that should be sufficient if you ever have questions about the transaction. In that case you will have to work with the bank to deal with it, but you are completely off the hook because that ID number, it turns out, is completely useless to the bad guys.
You would think, after all the breaches in the last 5 years like Target and Home Depot that we would get our arms around this, but apparently not.