The data breach, which led to the theft of guests’ credit card information who stayed at hotels under the InterContinental Hotel Group, was much bigger than previously announced earlier, with almost 1,200 hotels affected.
“The investigation identified signs of the operation of malware designed to access payment card data from cards used onsite at front desks at certain IHG-branded franchise hotel locations between September 29, 2016 and December 29, 2016,” said InterContinental Hotel Group in a statement.
The company operates more than 5,000 hotels across 100 countries. Those hotels breached included household names such as InterContinental, Holiday Inn, Crown Plaza and Hotel Indigo chains.
The breach was discovered after hotel guests reported unauthorized fraudulent charges on cards previously used at a number of US hotels owed by IHG.
The hotel group said malware searched for track data – cardholder name, card number, expiration date and internal verification code - and read from the magnetic stripe of a payment card as it was being routed through the affected hotel server.
READ MORE: 100,000 federal student aid applicants at risk of identity theft after IRS breach
The malware did now show signs of activity after December 29 but it was not eradicated from cash registers until March 2017.
The company noted there was no indication other guest information was affected.
Card-stealing cyber thieves have broken into some of the largest hotel chains over the past few years, according to Krebs On Security.
Hotel brands that have acknowledged card breaches over the last year include Kimpton Hotels, Trump Hotels (twice), Hilton, Mandarin Oriental, and White Lodging (twice). Card breaches also have hit hospitality chains Starwood Hotels and Hyatt.
In many of these breaches, thieves plant malicious software on point-of-sale devices via a hacked remote administration tool. Once the attackers have their malware loaded they remotely capture data from each card swiped at the cash register.
Thieves can then sell that data to crooks who specialize in encoding the stolen data onto any card with a magnetic stripe, and using the cards to purchase high-priced electronics and gift cards from big-box stores like Target and Best Buy.