Weekly podcast: data breaches at InterContinental Hotels, RingGo and Allrecipes

This week, we discuss data breaches affecting customers of InterContinental Hotels, RingGo and Allrecipes, those companies’ handling of the incidents, and how incident handling will be affected by the EU’s new data protection law.

Hello and welcome to the IT Governance podcast for Friday, 21 April 2017. Here are this week’s stories.

InterContinental Hotels Group (IHG) – the UK-based owner of, among others, the Crowne Plaza, Holiday Inn and InterContinental brands – has issued a data breach notice, confirming that point-of-sale machines at hundreds of its franchises – one in Puerto Rico, the others in the United States – were affected by malware that accessed customers’ payment card data between 29 September and 29 December last year.

Security researcher Brian Krebs broke the story last December.

According to IHG’s notice, “The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the affected hotel server. There is no indication that other guest information was affected.”

A spokesperson told the BBC: “Individuals should closely monitor their payment card account statements. If there are unauthorised charges, individuals should immediately notify their bank. Payment card network rules generally state that cardholders are not responsible for such charges.”

Cashless parking solution RingGo – used by 4.3 million motorists to pay for permits and meters up and down the UK – suffered a data breach last week following the release of a new version of its iPhone app. When customers logged in, they found other people’s personal details instead of their own. 600 users were directly affected, and another 1400 who were parking at the time of the incident had their passwords disabled as a precaution.

According to a statement issued last Saturday (15 April) by RingGo’s owners, Cobalt Telephone Technologies: “This error is totally unacceptable and we apologise sincerely to those affected. […] We can assure customers that no useable payment card information was displayed – only the last 4 digits were shown. Some personal data could have been visible, eg name, vehicle registration. It would not be possible to use another’s account to pay for a parking session.  We take the security of our customers’ data extremely seriously and a full investigation into the root cause has taken place so that this issue will not happen again. We followed standard data incident procedures and submitted a report covering this data issue to the ICO. We also contacted, by email, phone and SMS, those affected.”

Although RingGo has pinned a link to this statement to its Twitter account, visitors to its website have to dig a bit more deeply. On the right-hand side of RingGo’s homepage is a ‘News’ column. At the time of this recording, the top item is a story titled “New RingGo iPhone app (12 Apr 17)”. Click that, and you reach the statement: “We apologise unreservedly to anyone that experienced issues following the launch of our new iPhone app.” (So far, so vague – certainly no mention of a data breach.)

Click ‘more’ and you get the rest of the statement: “Those directly impacted have already been contacted by email, text or phone call.  If you have not been contacted but still have concerns about your account please click here.” (Still no mention of a data breach.) Clicking that link takes you to the statement issued by Cobalt Telephone Technologies.

I don’t know about you, but I’m reminded of Arthur Dent’s search for bypass plans.

Another company that warned users this week that their details had been affected by a data breach is recipe-sharing site Allrecipes.com.

According to Graham Cluley, allrecipes.com users who registered with the recipe-sharing site before June 2013 were told by email this week: “We recently determined that the email address and password typed into allrecipes.com by members when they created or logged into their accounts prior to June 2013 may have been intercepted by an unauthorized third party. Based on information available to us, we cannot determine with certainty who did this or how this occurred. Our best analysis is that email addresses and allrecipes.com passwords were intercepted during account registration or login by our members.”

Users have been advised to change their passwords “on allrecipes.com and on any other sites for which [they] use the same username and password.”

Cluley comments: “Allrecipes has only mentioned the breach when asked direct questions about it via Twitter. How hard would it have been to post a link to an advisory on the front page of its website, and tweet out a link to it?

“Clearly plenty of questions remain about how this security breach might have happened, and Allrecipes’ response to it. But at the very least I would have been pleased to see them be more transparent with their users.”

There is actually an ‘FAQ Notice of Data Breach’ on allrecipes.com, but it’s so well hidden that I only found it via a third party. Go to wecare.allrecipes.com for more information.

Data breaches happen an awful lot – indeed, according to a report released by the UK government this week, “Just under half (46%) of all UK businesses identified at least one cyber security breach or attack in the last 12 months. This rises to two-thirds among medium firms (66%) and large firms (68%).” Factor in the number of breaches that aren’t discovered or disclosed and you have something approaching an epidemic.

It’s now 13 months until the General Data Protection Regulation is enforced. From May 2018, any organisation that processes the personal data of EU residents will have to abide by a number of new requirements or risk huge fines if a breach occurs. Have a look at our GDPR resource page for more information.

Well, that’s it for this week. Until next time you can keep up with the latest information security news on our blog.

And don’t forget that IT Governance’s April book of the month is our bestselling GDPR pocket guide – the ideal resource for anyone wanting a clear primer on the principles of data protection and their new obligations under the General Data Protection Regulation. Save 10% if you order by the end of the month.

Whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.