Data Breach , Forensics , Fraud

Kimpton Hotels Hit by Card Breach

All 62 Hotels and Many Restaurants Suffered POS Malware Infection
Kimpton Hotels Hit by Card Breach
Kimpton Morrison House hotel in Alexandria, Va.

Point-of-sale malware attacks: Another week, another hotel chain warning that it's suffered a malware-fueled data breach that led to the theft of customers' card data.

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

This week's data breach notification comes from Kimpton Hotels & Restaurants, a boutique hotel and restaurant chain with 62 properties in about 30 U.S. cities. It's warning all customers that their payment card data and names may have been compromised via a POS malware infection that lasted nearly five months.

Kimpton couldn't be immediately reached for comment about how many payment cards were stolen or how many customers might have been affected.

The San Francisco-based chain's data breach notification, posted on Aug. 31 to Kimpton's website, says that it's working with law enforcement agencies to investigate and notes that it gave payment card issuers a heads-up on the breach to help them monitor for future fraud.

Based on a now concluded digital forensic investigation into the suspected breach, Kimpton's breach notification says that malware infected every one of the hotel's properties, potentially compromising cards used at front desks and many of the hotel's restaurants at various points between Feb. 16 to July 7.

Kimpton says it launched its investigation July 15 after receiving "a report ... of unauthorized charges occurring on payment cards after they had been used by guests at the restaurant in one of our hotels."

The hotel chain says it hired multiple cybersecurity firms to investigate. "Findings from the investigation show that malware was installed on servers that processed payment cards used at the restaurants and front desks of some of our hotels ... [that] searched for track data read from the magnetic stripe of a payment card as it was being routed through the affected server," Kimpton says. Compromised information included card numbers, expiration dates, card verification values and "in a small number of instances" potentially also cardholders' names.

62 Properties Affected

Kimpton has published a list of affected properties and infection dates on its website. "We regret any inconvenience this may have caused," it says. Of course, affected cardholders may yet face future inconvenience as well.

Kimpton says that it's eliminated the malware from its systems, putting unspecified security improvements in place and also notifying customers directly for whom it has contact information. "Kimpton Hotels & Restaurants does not have information available to identify the name and address of restaurant guests. We will be mailing letters to those guests who used their card at a front desk during an at-risk time frame for whom we have a mailing address."

Linked to HEI Breach?

The breach confirmation from Kimpton - owned by InterContinental Hotels Group - comes just three weeks after hotel management firm HEI reported a POS malware breach affecting 20 U.S. hotels that it manages. The two incidents are potentially related, since the list of breached hotels managed by HEI includes properties it manages for InterContinental Hotels Group, as well as Hilton, Hyatt, Marriott and Starwood Hotels and Resorts (see Recent POS Attacks: Are They Linked?).

A spokeswoman for Kimpton couldn't be immediately reached for comment about how it learned about the breach, which cybersecurity firms it hired, whether its breach appears to be linked to the HEI breach, or which POS system supplier it uses.

The identity of Kimpton's POS supplier is potentially relevant, because Alex Holden, CISO at security and digital forensics firm Hold Security, recently discovered that 10 POS vendors had been compromised, including Cin7, ECRS, NavyZebra, PAR Technology and Uniwell. Holden told Information Security Media Group that the attacks date from mid-July and that "huge amounts of data - anywhere from 14 GB to 16 GB - was exfiltrated by hackers from most of the 10 identified POS providers," he said.

Holden's investigation was triggered by Oracle last month warning that it had found "malicious code in certain legacy MICROS systems." MICROS, which Oracle acquired in 2014, builds POS software and hardware that Oracle says is used across 330,000 customer sites in 180 countries (see MICROS Breach: What Happened?).

Follows Millennium, Noble Breaches

Kimpton is far from the only hotel chain to recently warn that it suffered a POS malware infection that compromised cardholder's payment card data. In late August, both Denver-based Millennium Hotels & Resorts North America and Noble House Hotels and Resorts, based in Kirkland, Wash., separately warned that they'd learned their systems had been breached. Both organizations said they learned of the breaches via the U.S. Secret Service (see POS Malware Hits Two Hotel Chains).

Neither hotel would comment on which POS vendor they used. But MHR's breach notification used language that closely paralleled Oracle's MICROS notification, noting that its "third-party service provider - that supplies and services the affected point-of-sale systems - [warned] that it had detected and addressed malicious code in certain of its legacy point-of-sale systems, including those used by MHR."

Their breaches follow a similar spate of POS malware infections at hotel chains in recent months that have affected Hilton, Hyatt, Starwood Hotels and Resorts, Omni Hotels & Resorts and Trump Hotels, among others.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network