InterContinental Hotels Finds an Unwelcome Guest in 1,175 Properties: Malware

Worldwide hotel group InterContinental Hotels, with brands including Holiday Inn Express, Holiday Inn, Candlewood Suites, Staybridge Suites, Crowne Plaza, Hotel Indigo, and Holiday Inn Resort, has reported an unwelcome guest in nearly one third of their 5,000 global properties: malware. 

Properties across the US and Puerto Rico were impacted by malware that according to a statement released by IHG, “identified signs of the operation of malware designed to access payment card data from cards used onsite at front desks at certain IHG-branded franchise hotel locations between September 29, 2016 and December 29, 2016.” Designed to steal info from a payment card’s magnetic stripe, InterContinental believes the malware could have stolen the affected properties’ guest credit card numbers, expiration dates and verification codes.

It’s unclear how many customers have been impacted, but Krebs on Security has reported that the IHG state lookup tool shows there are at least 1,175 properties on the companies’ list so far; and not all franchises have performed the free examination by an outside computer forensic team hired by IHG to look for signs of the malware. As a result, there may be more breached hotel locations that have yet to be identified.

Additionally, the company states there is no evidence of unauthorized access to payment card data after December 29, 2016, but the cyber security firm hired to investigate the breach did not confirm the malware was eradicated until March of this year.

How long is too long to discover a breach?

Hotels have been hit hard with card breaches over the last year including Kimpton Hotels, Trump Hotels (twice), Hilton, Mandarin Oriental, White Lodging (twice), Starwood Hotels and Hyatt. It’s clear that hotels and any organization that handles sensitive information and customer data need to evaluate their current approach to security to protect against POS malware breaches. 

InterContinental didn’t realize they had a malware infestation for several months. It then took another 2-3 months to remediate, with several franchises still refusing remediation/checks. Allowing a malware infection to persist for that length of time should not be acceptable to any company. Unfortunately, according to multiple industry surveys, on average it takes 6 months or more for most companies to realize they have a breach. The costs associated with remediation, litigation and loss in consumer confidence should be more than enough reason to seek out proactive solutions to look for compromises before they can wreak havoc and hemorrhage customer data.

It’s no longer enough to rely on anti-virus and real-time threat detection.  Hackers continue to find ways to bypass these defenses and quietly carry out their mission to steal your data. Threat hunting is the practice of proactively searching for hidden compromises such as malware, suspicious code and unauthorized activity that have bypassed existing security defenses. The goal is to reduce the dwell time of attackers – the period between infection and discovery – so you can stop them before they have the opportunity to exfiltrate data and/or corrupt systems.

Turn your security team into hunters

If it sounds daunting to stand up a hunt team, it doesn’t have to be. Once a manual and onerous task best suited to forensic specialists, there are new technologies that automate the process of threat hunting. Take for example Infocyte’s hunt platform.  

Infocyte HUNT can easily convert your existing security team into threat hunters who can quickly - and definitively - reduce your risk of damage and theft. It provides an easy-to-use, yet powerful solution to limit risk and eliminate attacker dwell time by enabling an organization’s own IT and security professionals to proactively discover malware and persistent threats, active or dormant, that have successfully evaded existing defenses and established a beachhead within the network. No other solution puts you into incident response mode with clear, actionable data faster - and with less effort on your part.

Learn more about reducing attacker dwell time with Infocyte HUNT.