KrebsOnSecurity revealed Nashville-based Shoney's restaurant washit by a data breach at several locations around thecountry. Additionally, the InterContinental Hotels Group disclosedmalware compromised registers at more than 1,000 properties.

Best American Hospitality Corp., which manages and operates someof Shoney's corporate-affiliated locations, investigated therestaurants with Kroll Cyber Security. A statement said, “BestAmerican Hospitality Corp. commenced an investigation afterreceiving a report that some payment card numbers that were used atrestaurant locations it manages and operates (some of Shoney'scorporate affiliated restaurants) had been stolen.”

Kroll's findings showed malware, installed remotely on point-of-saleequipment at some of the restaurants, searched for track data(cardholder name, card number, expiration date, and internalverification code) read from the magnetic stripe of routed paymentcards. Shoney's has about 150 company-owned and franchisedlocations in 17 states.

Kroll determined that some of the restaurants subject to a databreach from December 27, 2016 until the malware was contained onMarch 6, 2017. In some instances, the malware identified data fromthe card's magnetic stripe including the cardholder name andnumber; and in other instances, the data identified by malware didnot appear to include the cardholder name.

KrebOnSecurity reported sources in the financial industry saidthey've received confidential alerts from the credit cardassociations about suspected breaches at dozens of thoselocations.

Many breaches involving restaurant and hospitality chains overthe past few years link back to remotely hacked POS devicesinfected with card-stealing malware.

John Christly, Global CISO at the Fort Lauderdale, Fla.-basedmanaged security services firm Netsurion, noted, “Attack and breachprevention requires a new approach today, and many products andservice providers simply do not have the ability to stopcybercriminals before they do legitimate damage, as evidenced bythe recent onslaught of restaurant chain data breaches.”

Christy added, many restaurant owners set up a firewall as abasic security measure and believe their networks sufficientlyprotected. In today's cyberworld, firewalls can't just be set upand run on their own. While a network firewall serves as afundamental security component, it needs active monitoring,managing, and updating to be effective. “Even still, a managedfirewall cannot defend every threat vector.”

In December 2016, KrebsOnSecurity revealed fraud experts atvarious financial institutions suggested a widespread card breachacross some 5,000 hotels worldwide owned by IHG. In February, IHGacknowledged a breach but said it appeared to involve only a dozenproperties. Now, IHG released data showing cash registers at morethan 1,000 of its properties compromised with malware designed tosiphon customer debit and credit card data.

Headquartered in Denham, U.K., IHG operates more than 5,000hotels across nearly 100 countries. The company's dozen brandsinclude Holiday Inn, Holiday Inn Express, InterContinental, KimptonHotels, and Crowne Plaza. According to a statement released by IHG,the investigation “identified signs of the operation of malwaredesigned to access payment card data from cards used onsite atfront desks at certain IHG-branded franchise hotel locationsbetween September 29, 2016 and December 29, 2016.”

Krebs said IHG didn't provide a total of affected properties butdid publish a state-by-state lookup tool with more than 1,000locations nationwide listed.

Card-stealing cyberthieves have broken into some of the largest hospitality chains over the past few years includingTrump Hotels, Hilton, Mandarin Oriental, White Lodging, Starwoodand Hyatt.

Last August, NAFCU President and CEO Dan Berger issued astatement regarding the data breaches: “These hotel data breaches,many of which are repeat offenses, as well as the latest databreach to Oracle's point-of-sale systems, affirm the urgency withwhich Congress needs to pass strong national data securitystandards for retailers, such as the Data Security Act of 2015(H.R. 2205/S.961).”