Digital Transactions Authoritative, insightful and timely information for payments professionals
By Jim Daly
@DTPaymentNews
An investigation by hotel operator InterContinental Hotels Group PLC found malware had been installed on servers that processed payment cards at restaurants and bars in 12 IHG-managed properties, the company said. And a federal appellate court told a lower court to investigate whether the class of customers that could tap a $10 million settlement fund created in the wake of Target Corp.’s huge data breach in 2013 treats all affected consumers fairly.
United Kingdom-based IHG reported Friday that after receiving a report of unauthorized charges, the company hired cybersecurity firms and notified guests who used their cards at those properties between August and December 2016. The malware searched for track data, including cardholder name, card number, expiration date, and internal verification codes, read from the magnetic stripe of a payment card as it was being routed through an infected server, according to IHG.
Nine of the affected properties are in the U.S., with one each in Puerto Rico, Canada, and Aruba.
IHG, which, leases, franchises, or manages almost 5,100 hotels under the InterContinental, Holiday Inn, and other brands in nearly 100 countries, also said in a news release that “an investigation of other properties in the Americas region is ongoing.” The company confirmed in December that it was investigating a possible data breach at some U.S. properties.
Meanwhile, the Eighth U.S. Circuit Court of Appeals last week remanded to a federal district court in Minnesota class-action litigation to determine whether the proposed Target settlement would treat all members of the settlement class fairly, according to press reports. The proposal calls for Target to create a $10 million settlement fund, from which class members with documented losses from the breach would be paid first. Those who take an oath that they suffered losses but have no documentation would be paid next, and class members who have no losses but could face future identity-theft issues would receive nothing.
A Texas man appealed the class certification, saying the settlement would release Minneapolis-based Target from liability if his identity is misused in the future. That assertion prompted the appellate court to order the district court to explore whether there is a conflict between class members who suffered losses and those who didn’t, which if confirmed could require the groups to have different representation.
According to the Minneapolis Star-Tribune, documents filed in the case show 41.9 million Target customers had card data stolen in the breach, and 60 million had personal information stolen.
