share
by Cheryl-Anne Sturken | July 27, 2016

Cheryl-Anne SturkenEarlier this month, Dallas-based Omni Hotels & Resorts said it had been the victim of a malware attack and data breach that affected more than 50,000 customer credit and debit cards at 49 of its 60 hotels. Now, this week San Francisco-based Kimpton Hotels has said it is investigating reports of a possible payment-card data breach. If indeed Kimpton’s data system was breached, the chain would become the latest victim in what has become a string of successful data hacks on hotel companies over the past year.

Omni Hotels & Resorts warned its customers that hackers had stolen payment-card information by gaining access to its point-of-sale system and installing malicious software. "Malware may have operated between Dec. 23, 2013, and June 14, 2016, although most of the systems were affected during a shorter time frame," the company said in a statement on its website.

Kimpton was contacted on July 22 by Brian Krebs, founder of the Krebs on Security blog, after three different banks notified him of a pattern of credit-card abuse found at two dozen, and possibly more, Kimpton properties. The chain operates 62 hotels in the United States. In a July 26 post on its company website, Kimpton said it had launched an investigation and was engaging a local security firm for support.

"We are committed to swiftly resolving this matter. In the meantime, and in line with best practice, we recommend that individuals closely monitor their payment-card account statements," read the company statement. "If there are unauthorized charges, individuals should immediately notify their bank. Payment-card network rules generally state that cardholders are not responsible for such charges."

Other major hotel chains that have suffered similar cyber hacks include Four Seasons, Hilton, Hyatt, Marriott and Starwood. The Kimpton breach is one of several that have occurred this year alone. In April, the Trump Hotel Collection, which includes more than a dozen properties globally, acknowledged their credit-card system had been breached. It was the second time the hotel company had suffered a breach in less than one year. On July 1, THC acknowledged it had been alerted to suspicious activity, but did not confirm its payment systems had been infected with data-stealing malware until months after the alert. Trump hotels that had been hit include the Trump International Hotel New York, Trump Hotel Waikiki in Honolulu and the Trump International Hotel & Tower in Toronto.

In the Hyatt breach this past January, the Chicago-based chain revealed that an internal investigation showed that 250 of its hotels’ payment processing systems had been breached between Aug. 13, 2015, and Dec. 8, 2015. That breach hit hotels from Aruba to Thailand, with the highest number of affected locations -- 22 properties -- in China. India was the next biggest target, with 20 affected hotels.

On his website, Brian Krebs noted, "Thieves can then sell the data to crooks who specialize in encoding the stolen data onto any card with a magnetic stripe, and using the cards to buy gift cards and high-priced goods from big-box stores like Target and Best Buy." His advice to customers was that they should remember that "they’re not liable for fraudulent charges on their credit or debit cards, but they still have to report the unauthorized transactions. There is no substitute for keeping a close eye on your card statements."