Boutique hotel specialist Kimpton Hotels has confirmed a credit card breach at 60+ restaurants and hotel front desks.
Details are few: “The source and extent of the apparent breach at Kimpton properties is still unknown,” according to independent researcher Brian Krebs. But the issue was at play for months, between February and July 2016.
While other hospitality breaches were caused by point-of-sale (POS) malware, Kimpton said that the malware in this case was installed on the servers that processed payment cards. The malware searched for track data read from the magnetic stripe of a payment card as it was being routed through the affected server.
The compromised information includes card numbers, expiration dates and internal verification codes, and in a “small number of instances” it may have found the track that also contains the cardholder name, the company said in a notice.
“Hospitality companies are in an ongoing digital war with cyber-criminals seeking payment card data—and the war is being won far too often by these hackers,” said John Christly, CISO at Netsurion, via email. “Any business that processes payment data or offers free Wi-Fi is a profitable breach target. But widespread chains like Kimpton are especially appealing to hackers because of their troves of valuable data, such as credit-card information, sensitive employee data and sometimes even medical data used by in-house care facilities.”
While being targeted by hackers is likely inevitable, hotel-owners and customers alike can take steps to minimize risk.
“Hospitality companies need to do everything they can to protect their customers’ data; this means deploying the latest developments in endpoint protection and secure web gateways that actually prevent breaches through the most advanced methods available to the industry today,” said John Peterson, vice president and general manager, Comodo Enterprise, in an emailed comment. “When it comes to hotel breaches, customers need to be aware of their exposure. They should keep a close eye on accounts that may be impacted and report any suspicious behavior on those accounts.”
Doron Kolton, CEO of TopSpin Security, added, “While we are unsure of the source of the malware that infected Kimpton’s payment terminals, the most concerning part is the fact that the malware was not caught sooner…This is an example of a company not having a robust offensive plan in place to actively and constantly monitor and stop malware that may have penetrated its network before it can get to the customer.”