The InterContinental Hotels Group (IHG), which owns thousands of hotels worldwide, disclosed earlier this month that a credit card breach impacted at least a dozen of its properties. This is just the latest cyber attack that has hit some of the largest hotel and hospitality chains over the past years – from Kimpton Hotels to Trump Hotels, Hilton, Mandarin Oriental, Starwood Hotels and Hyatt.
According to IHG’s statement, malicious software was installed on point-of-sale servers at restaurants and bars of 12 of its managed properties between August and December 2016. The locations affected by the data breach include the Sevens Bar & Grill at Crowne Plaza San Jose-Silicon Valley, the Bristol Bar & Grille at the Holiday Inn San Francisco Fisherman’s Wharf, InterContinental San Francisco, Aruba’s Holiday Inn Resort and InterContinental Los Angeles Century City.
The stolen data included information stored on the magnetic stripe on the backs of customer credit and debit cards — the cardholder name, card number, expiration date, and internal verification code. IHG made clear that it doesn’t know the full extent of the breach and is conducting an investigation into other properties throughout the U.S. and the Americas region. However, IHG did say that travelers that only used their cards at hotel front desks during this time should be safe.
IHG reported the security breach to law enforcement and is collaborating with the payment card networks to allow banks to monitor for fraudulent transactions. It also established a dedicated call center to answer any questions of the guests and set up a website page for additional information.
The recent data breach at the IHG properties underscores the vulnerability to cyber attacks the hospitality industry faces. Hotels are especially attractive targets because of the huge databases of credit card data they hold. Hackers can access this data through various options, including public Wi-Fi signals and multiple point-of-sale terminals at spas, gift shops, coffee bars, and restaurants, as well as sharing programs with third parties including airlines and car rental companies.
With so many potential entry points for attackers, it’s imperative that hotel chains take the steps to close their cyber security gaps. This involves conducting a risk assessment to know why and where data is vulnerable and what safeguards are applied to each computer and device. Getting expert help is required to provide the valuable tools needed to help build or boost necessary firewalls, data encryption and other safeguards. Cyber security policies and procedures should be documented, implemented and incorporated into the overall written safety and emergency-planning program, including assigned responsibilities.
In addition to having robust prevention and risk management measures in place, a responsive Cyber Liability insurance program is imperative to help with the many related costs incurred as a result of a breach. This includes customer notification costs, call center set-up, credit or identity protection services for affected parties, forensic investigations, crisis management, and legal defense in the event of a costly lawsuit, among other expenses. Cyber extortion and cyber business interruption coverage can also be added to Cyber policy. It’s also important to note that data breaches can also carry personal risk for hotel executives and board members. In fact, cyber attacks are increasingly drawing scrutiny from government regulators, including the U.S. Securities and Exchange Commission (SEC), who want to ensure directors and officers are taking necessary steps to prevent breaches.