The Kimpton Hotel chain officially notified its customers that its point-of-sale system severs had been infected with malware earlier this year, possibly exposing payment card information and cardholder names.
The chain had announced in late July that it was investigating a possible breach, but the notification issued on Aug. 31 gave out further details. That inquiry discovered that malware had been installed on the servers that processed payment cards used at the hotel's restaurants and front desks between February 16 and July 7, 2016. Several dozen properties were impacted; the complete list can be seen here.
“The malware searched for track data read from the magnetic stripe of a payment card as it was being routed through the affected server. The malware primarily found track data that contained the card number, expiration date, and internal verification code, but in a small number of instances it may have found the track that also contains the cardholder name,” Kimpton said in a statement.
Kimpton does not have a list of specific customers who had their information stolen and so is sending a letter to all guests who used a payment card at one of the locations during the time in question.
John Peterson, VP & GM of Comodo Enterprise, said hospitality companies and consumers play a role in protecting their data.
“Hospitality companies need to do everything they can to protect their customers' data; this means deploying the latest developments in endpoint protection and secure web gateways that actually prevent breaches through the most advanced methods available to the industry today. When it comes to hotel breaches, customers need to be aware of their exposure. They should keep a close eye on accounts that may be impacted and report any suspicious behavior on those accounts,” Peterson told SCMagazine.com in an email statement.