InterContinental Hotels Group (IHG) has warned that the attacks on its retail systems in February were much bigger than it had earlier admitted - affecting 1,200 of its hotels across the US and Puerto Rico, not the handful of hotels that it had suggested at the time.
The attacks may affect customers of Holiday Inn, Crowne Plaza, InterContinental and half-a-dozen or so other major hotel brands.
IHG first told customers that only a 'dozen' US locations had been infected with credit card-stealing malware back in February, but has now come out and admitted that the attack was a lot worse than it first revealed.
IHG has now warned that 1,200 of its hotels were affected by the malware, which grabs data from credit and debit cards, including cardholders' names, credit-card numbers, expiration dates and security codes.
An investigation revealed that the malware had been active at front-desk payment locations at the affected hotels for at least three months, from 29 September and 29 December 2016.
However, "confirmation that the malware was eradicated did not occur until the properties were investigated in February and March 2017", which means that some hotels might still be at risk.
"The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the affected hotel server," IHG said in a statement on its website.
"There is no indication that other guest information was affected," it added.
IHG added that many of its franchised hotel locations were not affected by the breach because it had implemented Secure Payment Solution (SPS), a point-to-point encryption payment acceptance solution.
The company advises customers to contact their bank and "remain vigilant" for fraudulent charges.
Last year, Hyatt Hotel guests were also warned of a credit card-related hacking. The hotel admitted that hackers had made off with payment card data from cards used onsite Hyatt-managed locations, primarily at restaurants, between 13 August 2015 and 8 December 2015.
Join Computing in London on 4 May for the Cyber Security Strategy Briefing 2017 for the Financial Sector.
Speakers include Adam Koleda, IT director of insurance firm BPL Global; Peter Agathangelou, associate director of Hamilton Fraser Insurance; and, Dr Kuan Hon, consultant lawyer at law firm Pinsent Masons.
Attendance is free to qualifying IT professionals and IT leaders - register now!
A new RSA report urges coders to sign a 'Hippocratic Oath' before embarking on AI programmes.
IT security vendor believes APT33 is working for the Iranian government
Darktrace pushes machine learning to take some of the pressure off of IT and security teams
Google also gets its hands on HTC's IP in a non-exclusive deal