Cyber Incident Victim: InterContinental Hotels Group PLC

The data breach impacting InterContinental Hotels Group PLC (IHG) and other major hotel brands occurred through malware infections at 20 U.S. properties managed by HEI Hotels & Resorts. HEI discovered malicious software designed to harvest payment card data on its systems in early to mid-June 2016, specifically targeting point-of-sale systems in restaurants, bars, spas, and retail outlets across the affected hotels. The malware operated undetected from March 1, 2015, until its containment on June 21, 2016, with 14 of the 20 compromised hotels experiencing intrusions after December 2, 2015. Among IHG properties, the InterContinental Tampa in Florida recorded approximately 12,800 potentially compromised transactions during the breach window. HEI confirmed the attackers accessed customer names, payment card account numbers, expiration dates, and card verification codes, though PIN data remained secure as the systems did not collect it.

HEI engaged external cybersecurity experts to investigate the incident, who determined the malware's functionality and scope before notifying federal law enforcement agencies. The company implemented a segmented payment processing system isolated from core network infrastructure to prevent future compromises. While IHG and Marriott declined public commentary on the breach, HEI published a detailed list of affected properties including one IHG location alongside 12 Starwood, six Marriott, and one Hyatt hotel. Transaction volumes varied significantly across locations, with the Hyatt Centric Santa Barbara reporting 8,000 exposed transactions. The breach exposed payment card activity spanning 15 months across multiple states, including Florida, California, Texas, and Illinois. HEI maintained operational continuity while addressing the security gaps that enabled the prolonged malware operation.