This article is more than 1 year old

Went out boozing in SF during Dreamforce or Oracle OpenWorld? Malware may have slurped your bank card

Hotel chain hacked in the middle of convention season

A posh US hotel chain says a trio of its popular San Francisco night spots were infected with bank-card-stealing malware from August to December of 2016.

So if you were in town for a conference during that time, and had your card swiped through an infected sales terminal, be on the look out for dodgy transactions.

InterContinental Hotels Group admitted to the state of California [PDF] on Friday that twelve of its bars and restaurants in the US had discovered malware in its sales registers. The software nasty stole card names and numbers, expiration dates, and security codes. This sensitive data can be used to clone cards and empty victims' accounts.

The San Francisco locations are: the Luce Bar/888 at the Intercontinental, Nob Hill Club/Top of the Mark at the Intercontinental Mark Hopkins, and the Bristol Bar & Grille at the Holiday Inn in Fisherman's Wharf. All three were believed to be infected from August 1 to December 11 or 15.

The locations and timing could be particularly troublesome for IT departments and tech companies. Both the Intercontinental and Mark Hopkins hotels are particularly popular with business travelers, and the August-December stretch brings a handful of popular conferences to San Francisco, including Oracle Open World and Salesforce Dreamforce.

This means that the hundreds who attended those conferences and stopped in for a meal or drink at either locations may have potentially had their payment card data stolen.

It's not only San Francisco convention goers who may be in danger. The malware was also uncovered in Silicon Valley at the Sevens Bar & Grill at the Crowne Plaza in Milpitas. Other infected locations were found at Intercontinental hotel restaurants and bars in Los Angeles, Washington DC, Chicago, Atlanta, Toronto, Nashville, Aruba, and San Juan, Puerto Rico.

All of those locations were infected on August 1, but were caught and cleaned up at different times ranging September to mid-December.

Intercontinental Hotels is advising anyone who visited any of the 12 locations to keep a close watch on their bank statements and report any unauthorized charges. The company says it is working with banks and law enforcement, but did not say if it would be providing any credit or identity monitoring services to those exposed by the infection. ®

More about


Send us news

Other stories you might like