Kimpton Hotels & Restaurants, a nationwide chain of 62 boutique hotels, is investigating a string of unauthorized charges on payment cards used at a number of its locations.
It’s unknown how many cards are involved, nor at which locations.
A Kimpton representative told Threatpost that an investigation is ongoing and no further information was available.
Earlier today, the company said in a statement that it had hired a security firm to support its investigation.
“Kimpton Hotels & Restaurants takes the protection of payment card data very seriously. Kimpton was recently made aware of a report of unauthorized charges occurring on cards that were previously used legitimately at Kimpton properties. As soon as we learned of this, we immediately launched an investigation and engaged a leading security firm to provide us with support.
“We are committed to swiftly resolving this matter. In the meantime, and in line with best practice, we recommend that individuals closely monitor their payment card account statements. If there are unauthorized charges, individuals should immediately notify their bank. Payment card network rules generally state that cardholders are not responsible for such charges.”
Hotels, restaurants and other hospitality outlets are frequently singled out in the annual Verizon Data Breach Investigations Report as victims of opportunistic hackers taking advantage of remote administration systems protected by weak or default credentials, for example. Of particular interest to attackers are vulnerable point-of-sale systems connected in some cases to outdated Windows servers and are behind on patch levels.
Journalist Brian Krebs uncovered the Kimpton breach. Krebs wrote today that he had three financial industry sources confirm a pattern of payment card fraud at nearly two-dozen Kimpton hotels. Krebs said he informed Kimpton last Friday of his investigation.
Kimpton is just the latest hotel chain to fall victim to hackers. Last year, Starwood Hotels and Resorts, Hilton Worldwide, Mandarin Oriental and others reported breaches, most of which were linked to balky point-of-sale systems.
The Starwood breach, disclosed in November, involved the use of point-of-sale malware designed to steal customer names, payment card numbers, security codes and expiration dates. Similarly, Hilton Worldwide reported in September that its point of sale systems were compromised, some as far back as November 2014.
Point of sale malware was all the rage in 2014 and was the nexus of a number of major breaches, including Target and Neiman Marcus. In some cases, attackers used RAM scraping hacking technique where malware is injected into a running process and is built to steal data from memory before it is encrypted and sent to a payment processor. Attackers target either wonky remote management systems or phishing to infiltrate organizations with point-of-sale malware.
