Reuters reports that Intercontinental Hotels has now confirmed a breach that was first reported by Brian Krebs in December:
InterContinental Hotels Group Plc said on Friday that a malware in the servers at 12 of its hotels in the United States tracked payment card data if the card was used at the hotels’ restaurants and bars between August and December last year.
The company said that the malware searched for track data – the cardholder’s name, card number, expiration date and the verification code – read from the magnetic stripe of a card as it was being routed through the affected server.
Read more on Reuters. See also Fortune.
Update: Here’s their submission to the California Attorney General’s Office, which includes a list of the affected restaurants and bars, and the vulnerable time period.