InterContinental Hotels Group (IHG) has warned that the attacks on its retail systems in February were much bigger than it had earlier admitted - affecting 1,200 of its hotels across the US and Puerto Rico, not the handful of hotels that it had suggested at the time.
The attacks may affect customers of Holiday Inn, Crowne Plaza, InterContinental and half-a-dozen or so other major hotel brands.
IHG first told customers that only a 'dozen' US locations had been infected with credit card-stealing malware back in February, but has now come out and admitted that the attack was a lot worse than it first revealed.
IHG has now warned that 1,200 of its hotels were affected by the malware, which grabs data from credit and debit cards, including cardholders' names, credit-card numbers, expiration dates and security codes.
An investigation revealed that the malware had been active at front-desk payment locations at the affected hotels for at least three months, from 29 September and 29 December 2016.
However, "confirmation that the malware was eradicated did not occur until the properties were investigated in February and March 2017", which means that some hotels might still be at risk.
"The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the affected hotel server," IHG said in a statement on its website.
"There is no indication that other guest information was affected," it added.
IHG added that many of its franchised hotel locations were not affected by the breach because it had implemented Secure Payment Solution (SPS), a point-to-point encryption payment acceptance solution.
The company advises customers to contact their bank and "remain vigilant" for fraudulent charges.
Last year, Hyatt Hotel guests were also warned of a credit card-related hacking. The hotel admitted that hackers had made off with payment card data from cards used onsite Hyatt-managed locations, primarily at restaurants, between 13 August 2015 and 8 December 2015.
Join Computing in London on 4 May for the Cyber Security Strategy Briefing 2017 for the Financial Sector.
Speakers include Adam Koleda, IT director of insurance firm BPL Global; Peter Agathangelou, associate director of Hamilton Fraser Insurance; and, Dr Kuan Hon, consultant lawyer at law firm Pinsent Masons.
Attendance is free to qualifying IT professionals and IT leaders - register now!
Cotton seedling freezes to death as Chang'e-4 shuts down for the Moon's 14-day lunar night
Fortnite easily out-earns PUBG, Assassin's Creed Odyssey and Red Dead Redemption 2 in 2018
Meteor showers as a service will be visible for about 100 kilometres in all directions
Saturn's rings only formed in the past 100 million years, suggests analysis of Cassini space probe data
New findings contradict conventional belief that Saturn's rings were formed along with the planet about 4.5 billion years ago