Intercontinental Hotels Group has confirmed that data-stealing malware attacked around 1,200 of its franchisees’ properties at the end of last year.
All but one of the properties affected were in the US – the other in Puerto Rico.
IHG said there were signs of malware use designed to access payment card data from cards used onsite at front desks at certain IHG-branded locations between September 2016 and December 2016.
“Although there is no evidence of unauthorized access to payment card data after December 29, 2016, confirmation that the malware was eradicated did not occur until the properties were investigated in February and March 2017,” IHG said.
Before this incident, many IHG-branded franchise hotel locations had implemented IHG’s Secure Payment Solution (SPS), a point-to-point encryption payment acceptance solution. Properties that had implemented SPS before September 29, 2016 were not affected.
The hotel group has published a tool for visitors to check if hotels they stayed at are among those affected.
In a statement IHG said: "IHG hired a leading cyber security firm on behalf of franchisees to coordinate an examination of the payment card processing systems of franchise hotel locations in the Americas region.
"The investigation identified signs of the operation of malware designed to access payment card data from cards used onsite at the front desk at certain IHG-branded franchise hotel locations.
"It is always advisable to remain vigilant to the possibility of fraud by reviewing your payment card statements for any unauthorised activity. IHG values the relationship it has with its guests and understands the importance of protecting payment card data."
Other hotel groups including Hyatt and Marriott have been hit in recent years by data hacks.