[CQ-Contest] Dayton Crown Plaza Credit Card flaw

jpescatore at aol.com jpescatore at aol.com
Fri May 26 06:02:12 EDT 2017 

Here's what happened - it happened to me and I work in Internet security:


The Intercontinental Hotel Group (parent of Holiday Inn, Crowne Plaza, etc) was hacked back in February and continuing through April. Over 1,100 of its hotels were impacted. If you are interested, details here: http://www.computerworld.com/article/3190175/security/1-175-hotels-listed-in-payment-card-breach-of-holiday-inn-parent-company.html


I checked in to the Crowne Plaza on Friday afternoon. Later that day I got a potential fraud alert from Mastercard that a "card not present" charge of $377 was made to my card by something called IHG. I checked online, my charges that day for gas and for the hotel I stayed on on Thursday night were there and legit - and there was an IHG charge of $377. 


When I checked in, they physically swiped my card so it should *not* have shown up as card not present, and I didn't immediately connect IHG to Crowne Plaza. I called Mastercard, they connected me to the fraud folks and I asked "Do you show more information about IHG?" they said no. So, I said that must be a fraudulent charge and they cancelled that card and are sending me a new one.


I went down to the desk to tell them I would switch the charges to another card and they said "Yes, we are having a lot of that because of the hack." Bells went off in my head, but too late to stop the card from being cancelled. The clerk said "let me check the list of disputed charges, because the system will shut your room card access off." I'd come down quickly enough, wasn't on that list but it was several pages long.


Because of the hack and exposure, IHG apparently was centrally processing card swipes until they could validate that all impacted hotels had cleaned up there local systems. So, the charge showed up as "card not present" - I have no idea why it showed up when I checked in, as on business travel it usually shows up on checkout.


When I was checking in, two hams sharing a room came down and said their room cards didn't work. They might have had the disputed charge thing cancel happen to them, don't know.


Advice: no reason to worry about fraud to your card from your Dayton stay, but if you stayed in any of the 1,100 hotels between February and April and haven't been contacted, good idea to at least check your credit records if not change that card number.


73 John K3TN

More information about the CQ-Contest mailing list