September 6, 2016
Hotel chains continue to be a favored target of hackers harvesting payment card information. The most recent, Kimpton Hotels, late last week acknowledged an intrusion that exposed credit card details of customers who stayed at any of more than 60 of its U.S. locations. The San Francisco-based boutique hotel chain is one of many hotels breached this year, including Hilton, Hyatt, Mandarin Oriental, Starwood, Trump and White Lodging Hotels (the last two suffered not one, but two breaches each). The extent of the Kimpton breach is not clear. According to the company’s statement, however, the malware used to gain entry to the system infected servers rather than POS terminals—the usual point of compromise for breaches of this type.
“Findings from [an] investigation show that malware was installed on servers that processed payment cards used at the restaurants and front desks of some of our hotels,” Kimpton said in a statement. “The malware searched for track data read from the magnetic stripe of a payment card as it was being routed through the affected server. The malware primarily found track data that contained the card number, expiration date, and internal verification code, but in a small number of instances it may have found the track that also contains the cardholder name.”
According to the company, cards used at the front desks and certain restaurants between Feb. 16 and July 7 of 2016 potentially were exposed. Kimpton has published a list of affected locations.