Breach At Holiday Inn Owner InterContinental May Include More Than 1,000 Hotels, Not 12

Image courtesy of SoCal Metro

InterContinental Hotels Group, which operates chains like Holiday Inn and Crowne Plaza, recently admitted that the payment systems in some of its restaurants and bars had been compromised, and released a list of 12 affected locations. It turns out that the list was short by well over 1,000.

We learned through Krebs on Security that InterContinental has mostly finished its investigation. In a statement, the company admitted that front desk payment systems at a large number of its franchisee hotels were compromised with malware. Transactions between Sept. 29 and Dec. 29, 2016 were compromised, and there’s no evidence that any transactions after that were affected.

The culprits harvested the information that passed through payment terminals, which included 16-digit payment card numbers, expiration dates, and verification codes, and some customers’ names.

How many hotels are we talking about here? It’s hard to count them up since InterContinental released the list in a searchable database instead of a text list, but one Twitter user counted 1,175 properties.

InterContinental says that the investigation at all locations isn’t yet complete, and to keep checking back. That means they’ll keep on adding more to the list.

InterContinental might not be a familiar nname, but you’ll definitely recognize most or all of its brands. In addition to Holiday Inn and Crowne Plaza, there’s Staybridge Suites, Candlewood Suites, Hotel Indigo, Even Hotels, and Kimpton.

Hotel guests with any questions have been asked to call 855-330-6367 in the United States, and 800-290-9989 from outside the United States.

Remember, even if card-harvesting crooks do get hold of your credit card number, using a credit card rather than a debit card will limit the damage to your everyday life. You won’t risk having your bank account drained and payments from your checking account returned.