Kimpton Hotels & Restaurants has confirmed that a payment card security incident had occurred at more than 60 of its hotels and restaurants. POS malware had infected POS devices at these locations leading to a data breach that resulted in theft of customers’ payment card (credit/debit cards)data.
In mid-July, customers of Kimpton reported about unauthorized charges on their payment cards. Kimpton initiated an investigation – it hired multiple cyber security firms – who found that a POS malware breach had taken place at its hotels and restaurants between February 16, 2016, to July 7, 2016. Kimpton’s servers have got infected with POS malware.
Reporting on the investigation, Kimpton stated that: “Findings from the investigation show that malware was installed on servers that processed payment cards used at the restaurants and front desks of some of our hotels. The malware searched for track data read from the magnetic stripe of a payment card as it was being routed through the affected server. The malware primarily found track data that contained the card number, expiration date, and internal verification code, but in a small number of instances it may have found the track that also contains the cardholder name.”
The San Francisco-based Kimpton Hotels & Restaurants is a leading collection of boutique hotels and restaurants. It has announced that it has completed its investigation and, it has also published a list of the properties that had been affected (https://www.kimptonhotels.com/promos/payment-card-notification-property-list) – the Hotel name, location and at-risk time period. In fact, it is believed that all of its properties had been affected with POS malware. Customers of Kimpton who had visited any of their properties can check the list and find out if their payment card data had possibly been stolen.
Recently, there has been a spate of attacks on POS systems and the easy target seems to have been payment cards with magnetic strips. Hospitality service providers use POS systems for accepting payments. They are responsible for securing customer data security at the POS. This is often the weak link, which must be protected. Typically the POS network should be isolated from other networks, but more often than not they are connected.
Further, many hospitality service providers maintain card-on-file transactions – card data is stored on the servers for longer than typical periods for making later on charges. This is very risky and the data can be compromised. Card payment data should not be stored for longer than necessary. Security can be further strengthened by adhering to the aggressive PCI DSS 3.1 compliance.
Cybercriminals sell the stolen card data on the Dark Web. The hospitality industry must protect its POS devices with strong endpoint security that uses behavioural analytics, real time vulnerability and PCI scanning, and auto sandboxing to prevent POS malware infections.