Payment Card Data Breach Confirmed by Kimpton Hotels & Restaurants — and What You Can Do

Security data payment card breach

Kimpton Hotels & Restaurants — which is now a division of InterContinental Hotels Group since its acquisition last year — has notified its customers via letters using traditional postal mail and through this official announcement of an incident which may involve their payment card information used at specific restaurants and the front desks at hotel properties in 62 locations in the United States from Tuesday, February 16, 2016 through Thursday, July 7, 2016.

Payment Card Data Breach Confirmed by Kimpton Hotels & Restaurants

“Kimpton Hotels & Restaurants received a report on July 15, 2016 of unauthorized charges occurring on payment cards after they had been used by guests at the restaurant in one of our hotels. We immediately began to investigate the report and hired leading cyber security firms to examine our payment card processing system. Findings from the investigation show that malware was installed on servers that processed payment cards used at the restaurants and front desks of some of our hotels. The malware searched for track data read from the magnetic stripe of a payment card as it was being routed through the affected server. The malware primarily found track data that contained the card number, expiration date, and internal verification code, but in a small number of instances it may have found the track that also contains the cardholder name.”

The issue has reportedly been resolved — along with the promise that existing security measures will be strengthened further to attempt to prevent an incident similar to this from occurring again — but the cause and extent of this incident is still unknown at this time. “We notified law enforcement and are also working with the payment card networks so that the banks that issue payment cards can be made aware and initiate heightened monitoring on the affected cards.”

Kimpton is Not the First Lodging Company to Experience a Security Breach

This incident is not the first involving a breach of sensitive customer information at the points of sale at the properties of lodging companies. In fact, security breaches have happened numerous times in recent years and have affected virtually every lodging company.

“A data breach was reported recently for guests at Marriott hotel locations in Austin, Chicago, Denver, Los Angeles, Louisville and Tampa, among other cities, who used their credit cards to pay at restaurants, gift shops and other establishments within hotels managed by White Lodging Services Corporation”, according to this article written by Randy Petersen back on March 6, 2014. “Other hotels with ties to White Lodging include Hilton (Hampton Inn) and Starwood (Sheraton and Westin). The data breach exposed credit and debit card information belonging to thousands of guests who made charges on dates throughout much of 2013.”

Hyatt Hotels was only one of the lodging companies involved in a security breach of its payment system last year which may be one contributing factor for its Internet web site to have undergone maintenance for four days. “According to a report by the Identity Theft Resource Center, as of December 22nd, 2015 there have been seven hundred sixty-six (766) data breaches in the United States. Unfortunately, Hyatt Hotels has joined the list of companies affected with a recent announcement that they found malware in their customer payment systems”, according to this article written by Daniel Palen. “The breach of Hyatt’s systems comes shortly after the news that two rivals had been hit. Hilton Hotels confirmed a breach in late November, as did Starwood. In both cases, payment information, which includes credit cards numbers, cardholder names, expiration and CVV numbers, were included in the breaches. While Hilton did not say how many properties had been hacked, Starwood was much more specific and published a list with the fifty-four hotels that were affected across North America.”

What You Can Do to Mitigate Fraud as a Result of a Security Breach

Unfortunately — in this digitally connected world — there is no sure-fire way to completely insulate yourself from security breaches and possible fraudulent activity using your sensitive information; but you can take measures to at least mitigate the possibility.

Most important is to remain as aware of your financial activity as possible. Review your payment card statements for any unauthorized activity — and if you do find anything questionable about which you are unsure, report it to the issuer of your payment card. No harm is typically done to anyone if the activity proves to be valid — the worst that could happen is that payment is delayed to the merchant — but if the activity proves to be fraudulent, you have given early and timely notice in preventing it from happening further; and you usually are not liable for any damages beyond $50.00 at most.

Similarly, review activity on your credit report as well. You may obtain a complimentary copy of your credit report once every 12 months — as well as place a security freeze on your credit report if necessary — from each of the three nationwide credit reporting companies:

  • Equifax PO Box 740241, Atlanta, Georgia 30374, 1-800-685-1111
  • Experian PO Box 2002, Allen, Texas 75013, 1-888-397-3742
  • TransUnion PO Box 2000, Chester, Pennsylvania 19016, 1-800-916-8800

If you believe you are the victim of identity theft — or have reason to believe your personal information has been misused — you should immediately contact the Federal Trade Commission or the office of the attorney general in the state where you reside. You can obtain information from these sources about steps you can take to avoid identity theft — as well as information about fraud alerts and security freezes. You should also contact your local law enforcement authorities and file a police report.  Obtain a copy of the police report in case you are asked to provide copies to creditors to correct your records.  Contact information for the Federal Trade Commission is as follows:

Federal Trade Commission
Consumer Response Center
600 Pennsylvania Avenue, NW
Washington, DC 20580
1-877-IDTHEFT (438-4338)
www.ftc.gov/idtheft

Additional information pertaining to how you can protect yourself against fraudulent activity as the result of a breach in the security of your sensitive information is provided by Kimpton Hotels & Restaurants — and as you will see by reading that information, the recovery process is not an easy one.

Summary

Anyone can say with absolute confidence that this will not be the last time the sensitive data of people or companies will be breached in some way; so being vigilant about protecting your information is of paramount importance — and constant and consistently acute awareness is key to that vigilance.

Again, the recovery process from the results of fraudulent activity can be quite arduous and time-consuming; so preventative measures in protecting your sensitive information from being accessed — or, at least, mitigating any further damaging activity from occurring — is preferable.

In the meantime, the team at Kimpton Hotels & Restaurants regrets any inconvenience this incident may have caused. Please call 888-339-3142 Monday through Friday between the hours of 9:00 in the morning to 8:00 in the evening Eastern time if you have questions.

Source: Kimpton Hotels & Restaurants.