Security Breach At 19 N.J. Hotels, Credit Cards Hacked

A nationwide security breach - a credit card hack - could impact personal information used at 19 hotels across New Jersey, according to officials.

The InterContinental Hotels Group (IHG), which operates Holiday Inns, Crowne Plazas and Staybridge Suites hotels, discovered patterns of unauthorized charges occurring on cards after they were used at nationwide locations, according to a company release.

The investigation identified signs of "malware" designed to access payment card data from cards used onsite at front desks at certain IHG-branded franchise hotel locations between Sept. 29 and Dec. 29, 2016.

Although there is no evidence of unauthorized access to payment card data after December 29, 2016, the malware wasn't eradicated until after the properties were investigated in February and March 2017, according to the release.

"To ensure an efficient and effective response, IHG hired a leading cyber security firm on behalf of franchisees to coordinate an examination of the payment card processing systems of franchise hotel locations in the Americas region," according to the release.

• Candlewood Suites, Bordentown
• Holiday Inn, Budd Lake
• Holiday Inn Express, Carney’s Point
• Holiday Inn, Clinton
• Staybridge Suites, Cranbury
• Crowne Plaza, Edison
• Crowne Plaza, Elizabeth
• Holiday Inn, Hazlet
• Crowne Plaza, Monroe
• Holiday Inn Express, Mount Arlington
• Staybridge Suites, Mount Laurel
• Holiday Inn Express, North Bergen
• Holiday Inn, Princeton
• Crowne Plaza, Saddle Brook
• Holiday Inn, Secaucus
• Holiday Inn, South Plainfield
• Holiday Inn, Totowa
• Holiday Inn Express, Vineland
• Holiday Inn Express, Westampton

The national list of affected IHG franchise locations and respective time frames, which may vary by location, is available here.
The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the affected hotel server. There is no indication that other guest information was affected.

"It is always advisable to remain vigilant to the possibility of fraud by reviewing your payment card statements for any unauthorized activity," the release said. "You should immediately report any unauthorized charges to your card issuer because payment card rules generally provide that cardholders are not responsible for unauthorized charges reported in a timely manner. The phone number to call is usually on the back of your payment card. Please see the section that follows this notice for additional steps you may take."

Patch file photo