Cyber Breaches in the First Half of 2017

InterContinental Hotels Group

In April, IHG shared data that revealed that cash registers at more than 1,000 of their properties had been compromised by software designed to steal customer debit and credit card data.  When the hack was originally announced in February, it was thought to only include around a dozen hotel properties.  However, after further investigation, the number had climbed to at least 1,175 across the US and Puerto Rico by April 19th.

IHG had encouraged their franchises to accept a security inspection when reports of attacks on other large hotel chains first became frequent and were already in the process of moving properties to a more secure payment system.  However, it seems their efforts were a bit too late, as malware had already been inactive as of December 2016.


In mid-January, Arby’s was made aware of a data security breach that may have affected hundreds of their stores.  The stolen credit and debit card information could amount to over 355,000 different cards.

Saks Fifth Avenue

In March 2017 tens of thousands of Saks customers had their personal information posted online in plain text.  The exposed information included names, emails, purchase history, shopping interests, and even phone numbers.  Saks Fifth Avenue’s parent company, Hudson Bay Company, released a statement that they were working to resolve the issue and that only a single digit percentage of emails had been leaked.  HBC also said that compromised phone numbers were an even smaller percentage and they had already taken care of them.

Cyber security professionals and researchers of the Saks Fifth Avenue attack found that the company’s website had been serving pages over unencrypted connections which left shoppers vulnerable on open Wi-Fi networks.

UNC Health Care

Up to 1,300 patients over a time span of almost two years had their personal data mistakenly transmitted to local county health departments from two obstetric clinics at UNC Health Care.  The patients were prenatal patients who had completed Pregnancy Home Risk Screening Forms containing Social Security numbers and a detailed health history.

In March 2017, UNC Health Care began notifying the potentially affected patients and working with the involved health departments to purge their systems of patients they shouldn’t have received information for.  UNC reported that the breach did not affect patients financially and set up a call center for questions.


Amidst recovering sales numbers, Chipotle found out that hackers used malware to steal customer payment information from most of their 2,250 US restaurants and a handful of Canadian locations.  The hack and theft of information is said to have went on for about 3 weeks from March 24, 2017 to April 18, 2017.

An investigation into the attack revealed that the malware used data from the magnetic strip on payment cards to steal card data including account numbers and internal verification.  Chipotle’s non-compliance with PCI and EMV standards will likely result in a fine, on top of another drop in sales.


A data breach at one of DocuSign’s computer systems resulted in stolen customer emails and allowed the hackers to target compromised individuals for an elaborate phishing scheme.  The malicious email campaign that DocuSign uncovered contained a link to a Microsoft Word document download carrying malware.

DocuSign is asking customers to send any suspicious emails they receive related to the company to, then delete them.


Late last month, Kmart posted a letter to their website acknowledging malware that had been installed on payment data systems and could not be detected by anti-virus software.  Kmart immediately stated that the malware had been removed and that their systems were safe to use again.  The company also reassured the public that no personal identity information had been obtained by hackers but admitted that some credit card numbers had been compromised.

Because all of their stores were EMV “Chip and Pin” compliant at the time of the breach, Kmart maintains that the data that can be used to complete fraud or theft is limited.

in Industry News, Security

Get Social
Access Payment Industry Info
& Merchant Insights.