Payment Card Incidents at IHG Franchise Hotel Locations in the Americas Region
Apr 18, 2017, 3:13 am
#1
Original Poster
Join Date: Feb 2017
Location: Mechelen, Belgium
Posts: 4
Payment Card Incidents at IHG Franchise Hotel Locations in the Americas Region
Just a heads up IHG has released the following statement after several Payment Card incidents took place in the US and Puerto Rico in the September 2016- December 2016 Period:
April 14, 2017
California residents please click here:
https://www.ihg.com/content/us/en/cu...rnia-residents
IHG values the relationship we have with our guests and understands the importance of protecting payment card data. Many IHG-branded locations are independently owned and operated franchises, and certain of these franchisee operated locations in the Americas were made aware by payment card networks of patterns of unauthorized charges occurring on payment cards after they were legitimately used at their locations. To ensure an efficient and effective response, IHG hired a leading cyber security firm on behalf of franchisees to coordinate an examination of the payment card processing systems of franchise hotel locations in the Americas region.
The investigation identified signs of the operation of malware designed to access payment card data from cards used onsite at front desks for certain IHG-branded franchise hotel locations between September 29, 2016 and December 29, 2016. Although there is no evidence of unauthorized access to payment card data after December 29, 2016, confirmation that the malware was eradicated did not occur until the properties were investigated in February and March 2017. Before this incident began, many IHG-branded franchise hotel locations had implemented IHG’s Secure Payment Solution (SPS), a point-to-point encryption payment acceptance solution. Properties that had implemented SPS before September 29, 2016 were not affected. Many more properties implemented SPS after September 29, 2016, and the implementation of SPS ended the ability of the malware to find payment card data and, therefore, cards used at these locations after SPS implementation were not affected.
The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the affected hotel server. There is no indication that other guest information was affected. A list of affected IHG franchise locations and respective time frames, which may vary by location, is available here:
https://www.ihg.com/content/us/en/cu...operty-listing
It is always advisable to remain vigilant to the possibility of fraud by reviewing your payment card statements for any unauthorized activity. You should immediately report any unauthorized charges to your card issuer because payment card rules generally provide that cardholders are not responsible for unauthorized charges reported in a timely manner. The phone number to call is usually on the back of your payment card. Please see the section that follows this notice for additional steps you may take.
On behalf of franchisees, IHG has been working closely with the payment card networks as well as with the cyber security firm to confirm that the malware has been eradicated and evaluate ways for franchisees to enhance security measures. Law enforcement has also been notified.
We regret any inconvenience this may have caused. If you have questions, and reside in the United States, please call 855-330-6367 from 8:00 a.m. to 8:00 p.m. ET, Monday to Friday. If you reside outside the United States, please call 800-290-9989 from 8:00 a.m. to 8:00 p.m. ET, Monday to Friday.
More information on ways to protect yourself
We remind you it is always advisable to be vigilant for incidents of fraud or identity theft by reviewing your account statements and free credit reports for any unauthorized activity. You may obtain a copy of your credit report, free of charge, once every 12 months from each of the three nationwide credit reporting companies. To order your annual free credit report, please visit www.annualcreditreport.com or call toll free at 1-877-322-8228. Contact information for the three nationwide credit reporting companies is as follows:
Equifax
Phone: 1-800-685-1111
P.O. Box 740256
Atlanta, Georgia 30348
www.equifax.com
Experian
Phone: 888-397-3742
P.O. Box 9554
Allen, Texas 75013
www.experian.com
TransUnion
Phone: 800-916-8800
P.O. Box 2000
Chester, PA 19016
www.transunion.com
If you believe you are the victim of identity theft or have reason to believe your personal information has been misused, you should immediately contact the Federal Trade Commission and/or the Attorney General’s office in your state. You can obtain information from these sources about steps an individual can take to avoid identity theft as well as information about fraud alerts and security freezes. You should also contact your local law enforcement authorities and file a police report. Obtain a copy of the police report in case you are asked to provide copies to creditors to correct your records. Contact information for the Federal Trade Commission is as follows:
Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW Washington, DC 20580, 1-877-IDTHEFT (438-4338), www.ftc.gov/idtheft
If you are a resident of Maryland, you may contact the Maryland Attorney General’s Office at 200 St. Paul Place, Baltimore, MD 21202, www.oag.state.md.us, 1-888-743-0023.
If you are a resident of North Carolina, you may contact the North Carolina Attorney General’s Office at 9001 Mail Service Center, Raleigh, NC 27699, www.ncdoj.gov, 1-919-716-6400 or toll free at 1-877-566-7226.
If you are a resident of Massachusetts, note that pursuant to Massachusetts law, you have the right to obtain a copy of any police report.
Massachusetts law also allows consumers to request a security freeze. A security freeze prohibits a credit reporting agency from releasing any information from your credit report without written authorization. Be aware that placing a security freeze on your credit report may delay, interfere with, or prevent the timely approval of any requests you make for new loans, credit mortgages, employment, housing, or other services.
The fee for placing a security freeze on a credit report is $5.00. If you are a victim of identity theft and submit a valid investigative report or complaint with a law enforcement agency, the fee will be waived. In all other instances, a credit reporting agency may charge you up to $5.00 each to place, temporarily lift, or permanently remove a security freeze. If you have not been a victim of identity theft, you will need to include payment to the credit reporting agency to place, lift, or remove a security freeze by check, money order, or credit card.
To place a security freeze on your credit report, you must send a written request to each of the three major reporting agencies by regular, certified, or overnight mail at the addresses below:
Equifax Security Freeze, PO Box 105788, Atlanta, GA 30348, www.equifax.com
Experian Security Freeze, PO Box 9554, Allen, TX 75013, www.experian.com
TransUnion Security Freeze, PO Box 2000, Chester, PA 19022-2000, www.transunion.com
In order to request a security freeze, you will need to provide the following information:
Your full name (including middle initial as well as Jr., Sr., II, III, etc.)
Social Security number
Date of birth
If you have moved in the past five (5) years, provide the addresses where you have lived over the prior five years
Proof of current address such as a current utility bill or telephone bill
A legible photocopy of a government issued identification card (state driver's license or ID card, military identification, etc.)
If you are a victim of identity theft, include a copy of the police report, investigative report, or complaint to a law enforcement agency concerning identity theft
The credit reporting agencies have three (3) business days after receiving your request to place a security freeze on your credit report. The credit bureaus must also send written confirmation to you within five (5) business days and provide you with a unique personal identification number ("PIN") or password or both that can be used by you to authorize the removal or lifting of the security freeze.
To lift the security freeze in order to allow a specific entity or individual access to your credit report, you must call or send a written request to the credit reporting agencies by mail and include proper identification (name, address, and Social Security number) and the PIN number or password provided to you when you placed the security freeze as well as the identity of those entities or individuals you would like to receive your credit report or the specific period of time you want the credit report available. The credit reporting agencies have three (3) business days after receiving your request to lift the security freeze for those identified entities or for the specified period of time.
To remove the security freeze, you must send a written request to each of the three credit bureaus by mail and include proper identification (name, address, and Social Security number) and the PIN number or password provided to you when you placed the security freeze. The credit bureaus have three (3) business days after receiving your request to remove the security freeze.
If you are a resident of West Virginia, you also have the right to ask that nationwide consumer reporting agencies place "fraud alerts" in your file to let potential creditors and others know that you may be a victim of identity theft. A fraud alert can make it more difficult for someone to get credit in your name because it tells creditors to follow certain procedures to protect you. It also may delay your ability to obtain credit. You may place a fraud alert in your file by calling one of the three nationwide consumer reporting agencies. Contact information for each of the three credit reporting agencies is as follows:
Equifax, PO Box 740256, Atlanta, GA 30374, www.equifax.com, 1-800-685-1111
Experian, PO Box 9554, Allen, TX 75013, www.experian.com, 1-888-397-3742
TransUnion, PO Box 2000, Chester, PA 19016, www.transunion.com, 1-800-680-7289
As soon as that agency processes your fraud alert, it will notify the other two, which then also must place fraud alerts in your file. You may choose between two types of fraud alert. An initial alert (Initial Security Alert) stays in your file for at least 90 days. An extended alert (Extended Fraud Victim Alert) stays in your file for seven years. To place either of these alerts, a consumer reporting agency will require you to provide appropriate proof of your identity, which may include your Social Security number. If you ask for an extended alert, you will have to provide an identity theft report. An identity theft report includes a copy of a report you have filed with a federal, state, or local law enforcement agency, and additional information a consumer reporting agency may require you to submit. For more detailed information about the identity theft report, visit www.ftc.gov/idtheft/.
You may also obtain a security freeze on your credit report to protect your privacy and ensure that credit is not granted in your name without your knowledge. You have a right to place a security freeze on your credit report pursuant to West Virginia law. The security freeze will prohibit a consumer reporting agency from releasing any information in your credit report without your express authorization or approval.
The security freeze is designed to prevent credit, loans and services from being approved in your name without your consent. When you place a security freeze on your credit report, within five business days you will be provided a unique personal identification number (“PIN”) or password to use if you choose to remove the freeze on your credit report or to temporarily authorize the distribution of your credit report for a period of time after the freeze is in place. To provide that authorization, you must contact the consumer reporting agency and provide all of the following:
The unique personal identification number (“PIN”) or password provided by the consumer reporting agency;
Proper identification to verify your identity; and
The period of time for which the report shall be available to users of the credit report.
A consumer reporting agency that receives a request from a consumer to temporarily lift a freeze on a credit report shall comply with the request no later than three business days after receiving the request.
A security freeze does not apply to circumstances in which you have an existing account relationship and a copy of your report is requested by your existing creditor or its agents or affiliates for certain types of account review, collection, fraud control or similar activities.
If you are actively seeking credit, you should understand that the procedures involved in lifting a security freeze may slow your own applications for credit. You should plan ahead and lift a freeze, either completely if you are shopping around or specifically for a certain creditor, a few days before actually applying for new credit.
For Canadian residents: We recommend that you remain vigilant to the possibility of fraud and identity theft by reviewing your financial statements for any unauthorized activity. To obtain a copy of your credit report, you can contact the two Canadian credit reporting companies directly. Your free credit report is called a “credit file disclosure” by Equifax Canada and a “consumer disclosure” by TransUnion Canada. It does not include your credit score. To get your credit report free of charge, you may order it by mail, fax, telephone, or in person. If you choose to access it online, you will have to pay a fee.
California residents please click here:
https://www.ihg.com/content/us/en/cu...rnia-residents
IHG values the relationship we have with our guests and understands the importance of protecting payment card data. Many IHG-branded locations are independently owned and operated franchises, and certain of these franchisee operated locations in the Americas were made aware by payment card networks of patterns of unauthorized charges occurring on payment cards after they were legitimately used at their locations. To ensure an efficient and effective response, IHG hired a leading cyber security firm on behalf of franchisees to coordinate an examination of the payment card processing systems of franchise hotel locations in the Americas region.
The investigation identified signs of the operation of malware designed to access payment card data from cards used onsite at front desks for certain IHG-branded franchise hotel locations between September 29, 2016 and December 29, 2016. Although there is no evidence of unauthorized access to payment card data after December 29, 2016, confirmation that the malware was eradicated did not occur until the properties were investigated in February and March 2017. Before this incident began, many IHG-branded franchise hotel locations had implemented IHG’s Secure Payment Solution (SPS), a point-to-point encryption payment acceptance solution. Properties that had implemented SPS before September 29, 2016 were not affected. Many more properties implemented SPS after September 29, 2016, and the implementation of SPS ended the ability of the malware to find payment card data and, therefore, cards used at these locations after SPS implementation were not affected.
The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the affected hotel server. There is no indication that other guest information was affected. A list of affected IHG franchise locations and respective time frames, which may vary by location, is available here:
https://www.ihg.com/content/us/en/cu...operty-listing
It is always advisable to remain vigilant to the possibility of fraud by reviewing your payment card statements for any unauthorized activity. You should immediately report any unauthorized charges to your card issuer because payment card rules generally provide that cardholders are not responsible for unauthorized charges reported in a timely manner. The phone number to call is usually on the back of your payment card. Please see the section that follows this notice for additional steps you may take.
On behalf of franchisees, IHG has been working closely with the payment card networks as well as with the cyber security firm to confirm that the malware has been eradicated and evaluate ways for franchisees to enhance security measures. Law enforcement has also been notified.
We regret any inconvenience this may have caused. If you have questions, and reside in the United States, please call 855-330-6367 from 8:00 a.m. to 8:00 p.m. ET, Monday to Friday. If you reside outside the United States, please call 800-290-9989 from 8:00 a.m. to 8:00 p.m. ET, Monday to Friday.
More information on ways to protect yourself
We remind you it is always advisable to be vigilant for incidents of fraud or identity theft by reviewing your account statements and free credit reports for any unauthorized activity. You may obtain a copy of your credit report, free of charge, once every 12 months from each of the three nationwide credit reporting companies. To order your annual free credit report, please visit www.annualcreditreport.com or call toll free at 1-877-322-8228. Contact information for the three nationwide credit reporting companies is as follows:
Equifax
Phone: 1-800-685-1111
P.O. Box 740256
Atlanta, Georgia 30348
www.equifax.com
Experian
Phone: 888-397-3742
P.O. Box 9554
Allen, Texas 75013
www.experian.com
TransUnion
Phone: 800-916-8800
P.O. Box 2000
Chester, PA 19016
www.transunion.com
If you believe you are the victim of identity theft or have reason to believe your personal information has been misused, you should immediately contact the Federal Trade Commission and/or the Attorney General’s office in your state. You can obtain information from these sources about steps an individual can take to avoid identity theft as well as information about fraud alerts and security freezes. You should also contact your local law enforcement authorities and file a police report. Obtain a copy of the police report in case you are asked to provide copies to creditors to correct your records. Contact information for the Federal Trade Commission is as follows:
Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW Washington, DC 20580, 1-877-IDTHEFT (438-4338), www.ftc.gov/idtheft
If you are a resident of Maryland, you may contact the Maryland Attorney General’s Office at 200 St. Paul Place, Baltimore, MD 21202, www.oag.state.md.us, 1-888-743-0023.
If you are a resident of North Carolina, you may contact the North Carolina Attorney General’s Office at 9001 Mail Service Center, Raleigh, NC 27699, www.ncdoj.gov, 1-919-716-6400 or toll free at 1-877-566-7226.
If you are a resident of Massachusetts, note that pursuant to Massachusetts law, you have the right to obtain a copy of any police report.
Massachusetts law also allows consumers to request a security freeze. A security freeze prohibits a credit reporting agency from releasing any information from your credit report without written authorization. Be aware that placing a security freeze on your credit report may delay, interfere with, or prevent the timely approval of any requests you make for new loans, credit mortgages, employment, housing, or other services.
The fee for placing a security freeze on a credit report is $5.00. If you are a victim of identity theft and submit a valid investigative report or complaint with a law enforcement agency, the fee will be waived. In all other instances, a credit reporting agency may charge you up to $5.00 each to place, temporarily lift, or permanently remove a security freeze. If you have not been a victim of identity theft, you will need to include payment to the credit reporting agency to place, lift, or remove a security freeze by check, money order, or credit card.
To place a security freeze on your credit report, you must send a written request to each of the three major reporting agencies by regular, certified, or overnight mail at the addresses below:
Equifax Security Freeze, PO Box 105788, Atlanta, GA 30348, www.equifax.com
Experian Security Freeze, PO Box 9554, Allen, TX 75013, www.experian.com
TransUnion Security Freeze, PO Box 2000, Chester, PA 19022-2000, www.transunion.com
In order to request a security freeze, you will need to provide the following information:
Your full name (including middle initial as well as Jr., Sr., II, III, etc.)
Social Security number
Date of birth
If you have moved in the past five (5) years, provide the addresses where you have lived over the prior five years
Proof of current address such as a current utility bill or telephone bill
A legible photocopy of a government issued identification card (state driver's license or ID card, military identification, etc.)
If you are a victim of identity theft, include a copy of the police report, investigative report, or complaint to a law enforcement agency concerning identity theft
The credit reporting agencies have three (3) business days after receiving your request to place a security freeze on your credit report. The credit bureaus must also send written confirmation to you within five (5) business days and provide you with a unique personal identification number ("PIN") or password or both that can be used by you to authorize the removal or lifting of the security freeze.
To lift the security freeze in order to allow a specific entity or individual access to your credit report, you must call or send a written request to the credit reporting agencies by mail and include proper identification (name, address, and Social Security number) and the PIN number or password provided to you when you placed the security freeze as well as the identity of those entities or individuals you would like to receive your credit report or the specific period of time you want the credit report available. The credit reporting agencies have three (3) business days after receiving your request to lift the security freeze for those identified entities or for the specified period of time.
To remove the security freeze, you must send a written request to each of the three credit bureaus by mail and include proper identification (name, address, and Social Security number) and the PIN number or password provided to you when you placed the security freeze. The credit bureaus have three (3) business days after receiving your request to remove the security freeze.
If you are a resident of West Virginia, you also have the right to ask that nationwide consumer reporting agencies place "fraud alerts" in your file to let potential creditors and others know that you may be a victim of identity theft. A fraud alert can make it more difficult for someone to get credit in your name because it tells creditors to follow certain procedures to protect you. It also may delay your ability to obtain credit. You may place a fraud alert in your file by calling one of the three nationwide consumer reporting agencies. Contact information for each of the three credit reporting agencies is as follows:
Equifax, PO Box 740256, Atlanta, GA 30374, www.equifax.com, 1-800-685-1111
Experian, PO Box 9554, Allen, TX 75013, www.experian.com, 1-888-397-3742
TransUnion, PO Box 2000, Chester, PA 19016, www.transunion.com, 1-800-680-7289
As soon as that agency processes your fraud alert, it will notify the other two, which then also must place fraud alerts in your file. You may choose between two types of fraud alert. An initial alert (Initial Security Alert) stays in your file for at least 90 days. An extended alert (Extended Fraud Victim Alert) stays in your file for seven years. To place either of these alerts, a consumer reporting agency will require you to provide appropriate proof of your identity, which may include your Social Security number. If you ask for an extended alert, you will have to provide an identity theft report. An identity theft report includes a copy of a report you have filed with a federal, state, or local law enforcement agency, and additional information a consumer reporting agency may require you to submit. For more detailed information about the identity theft report, visit www.ftc.gov/idtheft/.
You may also obtain a security freeze on your credit report to protect your privacy and ensure that credit is not granted in your name without your knowledge. You have a right to place a security freeze on your credit report pursuant to West Virginia law. The security freeze will prohibit a consumer reporting agency from releasing any information in your credit report without your express authorization or approval.
The security freeze is designed to prevent credit, loans and services from being approved in your name without your consent. When you place a security freeze on your credit report, within five business days you will be provided a unique personal identification number (“PIN”) or password to use if you choose to remove the freeze on your credit report or to temporarily authorize the distribution of your credit report for a period of time after the freeze is in place. To provide that authorization, you must contact the consumer reporting agency and provide all of the following:
The unique personal identification number (“PIN”) or password provided by the consumer reporting agency;
Proper identification to verify your identity; and
The period of time for which the report shall be available to users of the credit report.
A consumer reporting agency that receives a request from a consumer to temporarily lift a freeze on a credit report shall comply with the request no later than three business days after receiving the request.
A security freeze does not apply to circumstances in which you have an existing account relationship and a copy of your report is requested by your existing creditor or its agents or affiliates for certain types of account review, collection, fraud control or similar activities.
If you are actively seeking credit, you should understand that the procedures involved in lifting a security freeze may slow your own applications for credit. You should plan ahead and lift a freeze, either completely if you are shopping around or specifically for a certain creditor, a few days before actually applying for new credit.
For Canadian residents: We recommend that you remain vigilant to the possibility of fraud and identity theft by reviewing your financial statements for any unauthorized activity. To obtain a copy of your credit report, you can contact the two Canadian credit reporting companies directly. Your free credit report is called a “credit file disclosure” by Equifax Canada and a “consumer disclosure” by TransUnion Canada. It does not include your credit score. To get your credit report free of charge, you may order it by mail, fax, telephone, or in person. If you choose to access it online, you will have to pay a fee.
Apr 20, 2017, 8:34 am
#2
A FlyerTalk Posting Legend
Join Date: Apr 2001
Location: PSM
Posts: 69,232
and unlike major breaches of recent they don't even bother to offer free credit monitoring...
Apr 21, 2017, 8:29 am
#4
Join Date: Feb 2010
Location: YYZ / FRA
Programs: IHG RA; Avis First
Posts: 1,444
Nov 15, 2017, 12:27 pm
#5
Join Date: Jul 2001
Location: DTW
Programs: Dirt Status w/ All
Posts: 5,040
Looks like this just hit me for a minor annoyance. I just got an e-mail from Chase to confirm an attempted $50 charge at a Walmart in Toledo on my IHG Mastercard. I logged into my account and see pending charges for $50, $51.48 and $50 at the same Walmart. I only use this card if staying at an IHG property so it is no big deal. I stayed at one of the affected Holiday Inns in TN late last year so I'm guessing that is where the hack came from.
Nov 15, 2017, 11:12 pm
#6
Join Date: Jun 2004
Location: San Diego
Programs: IHG Spire Amb, HH Diamond, DL Diamond and 1MM
Posts: 3,610
Me too
My Chase IHG card was hit with three small-ish gas station or Walmart charges -- all in quick sucession -- in Ohio about 6 weeks ago. Chase let the first $50 charge through, but then wised up. Chase fraud agent said my card was recently cloned. I doubt it. Barely used except at IHG properties in the hack time period.
Nov 16, 2017, 7:28 am
#7
Join Date: Dec 2014
Location: Glendale, NY
Programs: IHG Platinum Member
Posts: 25
So am I
Our card was used around 20th of October somewhere in Georgia (store name was Kroger or something similar). Small town that I may have been to maybe 2 years ago, but rather just passing by. Luckily Chase caught it at once and card was replaced (it took like a week to get a new one, what I found to be quite long). That is the second time: first time in 2014 just after vacations in Louisiana someone somehow got our card info and used it like a month after.
We use IHG Chase card often, theoretically never had a problem with customer service, but in fact I only feel secure when using Amex.
We use IHG Chase card often, theoretically never had a problem with customer service, but in fact I only feel secure when using Amex.
