The hotel chain that owns Holiday Inn, Crowne Plaza, InterContinental and other brands said credit card information of their guests may have been stolen last year at thousands of locations, including more than 100 in Canada.
British-based InterContinental Hotels Group (IHG) said it is aware of "unauthorized charges occurring on payment cards after they were legitimately used at their location."
More than 1,000 locations across North American are impacted, including 113 in Canada, mostly in Ontario and Alberta. The vast majority of affected Canadian hotels are branded either Holiday Inn, or Holiday Inn Express but other names, including Candlewood Suites, Staybridge Suites and Crowne Plaza locations, are also impacted.
The hack appears to have happened between Sept. 29 and Dec. 29 of 2016, when hackers used malware to obtain information from cards used at the front desk, and in some cases at bars and restaurants in the hotels.
"The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the affected hotel server," IHG said in a press release. "There is no indication that other guest information was affected."
There's also no indication that any data has been stolen since December, when better encryption methods were put into place.
The company said it has hired "a leading cyber security firm on behalf of franchisees to coordinate an examination of the payment card processing systems of franchise hotel locations" and advises anyone who thinks they may have been affected "to remain vigilant to the possibility of fraud by reviewing your payment card statements for any unauthorized activity," the chain said.
"You should immediately report any unauthorized charges to your card issuer."
The breach was first revealed in February, but at the time the company thought only about a dozen locations in the U.S. were impacted. The scope of the breach has since expanded.
Most cybersecurity breaches typically are not discovered until well after they have happened, security researcher Jérôme Segura from Malware Bytes told CBC News in an interview.
"Corporations that tend to be breached don't know about it themselves for a long time" until enough customers come forward with the same complaints, he said. "Victims are usually the last ones to know.
"Unfortunately, what happens in this industry is security is usually an afterthought, whether it's ... hotels or grocery stores," he said. "Typically what we see is it takes a large breach for them to realize that it actually hurts their … brand."