Payment Card Data Breach Confirmed by Kimpton Hotels & Restaurants — and What You Can Do
C ustomers of Kimpton Hotels & Restaurants — which is now a division of InterContinental Hotels Group since its acquisition last year — were notified of an incident which may involve their payment card information used at specific restaurants and the front desks at hotel properties in 62 locations in the United States from Tuesday, February 16, 2016 through Thursday, July 7, 2016 via letters using traditional postal mail and through this official announcement.
Payment Card Data Breach Confirmed by Kimpton Hotels & Restaurants
“Kimpton Hotels & Restaurants received a report on July 15, 2016 of unauthorized charges occurring on payment cards after they had been used by guests at the restaurant in one of our hotels. We immediately began to investigate the report and hired leading cyber security firms to examine our payment card processing system. Findings from the investigation show that malware was installed on servers that processed payment cards used at the restaurants and front desks of some of our hotels. The malware searched for track data read from the magnetic stripe of a payment card as it was being routed through the affected server. The malware primarily found track data that contained the card number, expiration date, and internal verification code, but in a small number of instances it may have found the track that also contains the cardholder name.”
The issue has reportedly been resolved — along with the promise that existing security measures will be strengthened further to attempt to prevent an incident similar to this from occurring again — but the cause and extent of this incident is still unknown at this time. “We notified law enforcement and are also working with the payment card networks so that the banks that issue payment cards can be made aware and initiate heightened monitoring on the affected cards.”
Kimpton is Not the First Lodging Company to Experience a Security Breach
This incident is not the first involving a breach of sensitive customer information at the points of sale at the properties of lodging companies. In fact, security breaches have happened numerous times in recent years and have affected virtually every lodging company.
Hyatt Hotels was only one of the lodging companies involved in a security breach of its payment system last year which may be one contributing factor for its Internet web site to have undergone maintenance for four days.
Back in April of 2015, e-mail messages sent from the Hyatt Gold Passport frequent guest loyalty program stated that the password to the accounts of some of its members were reset due to access to a small number of accounts by “unauthorized individual utilizing member usernames and passwords.”
I was one of the members who might have possible been affected; but I had not noticed any unusual activity in my credit card accounts at this time. I still monitor them to this day.
I originally wrote in this article last month pertaining to the latest data breaches with Starwood Hotels an Resorts Worldwide, Incorporated and Hilton Worldwide that as we become increasingly dependent on technology for our everyday tasks, our sensitive information becomes more and more vulnerable; and my opinion has not changed: either companies are failing depute their best efforts; or they are just simply not diligent enough in protecting sensitive data.
Either way, I wonder if companies would be more vigilant if they would compensate customers every time their accounts were breached or their sensitive information stolen. If the answer is that they would go broke if that happened, that only further convinces me of the gravity of this technology problem and that better security measures need to be put in place.
These past articles written by me seem to illustrate how serious is this problem of protecting sensitive data from being breached — and it seems that no company is immune:
- Miles Stolen; American, United and Delta Frequent Flier Accounts Breached
- Warning: Security Breach of E-Mail Accounts at Various Companies
- Unauthorized Individual Accessed My Hyatt Gold Passport Account?
- Cyber Attack on an Account I Have Not Had in Years?!?
- Breaking News: Many British Airways Executive Club Accounts Locked; Avios Reset to Zero
- My Starwood Account Was Compromised: More Details — and What Happened
- Follow Up: My Telephone Call With a Starwood Representative
- Warning: Your Hilton HHonors Account Can Be Sold for Cents on the Dollar by Thieves
What You Can Do to Mitigate Fraud as a Result of a Security Breach
Unfortunately — in this digitally connected world — there is no sure-fire way to completely insulate yourself from security breaches and possible fraudulent activity using your sensitive information; but you can take measures to at least mitigate the possibility.
Most important is to remain as aware of your financial activity as possible. Review your payment card statements for any unauthorized activity — and if you do find anything questionable about which you are unsure, report it to the issuer of your payment card. No harm is typically done to anyone if the activity proves to be valid — the worst that could happen is that payment is delayed to the merchant — but if the activity proves to be fraudulent, you have given early and timely notice in preventing it from happening further; and you usually are not liable for any damages beyond $50.00 at most.
Similarly, review activity on your credit report as well. You may obtain a complimentary copy of your credit report once every 12 months — as well as place a security freeze on your credit report if necessary — from each of the three nationwide credit reporting companies:
- Equifax PO Box 740241, Atlanta, Georgia 30374, 1-800-685-1111
- Experian PO Box 2002, Allen, Texas 75013, 1-888-397-3742
- TransUnion PO Box 2000, Chester, Pennsylvania 19016, 1-800-916-8800
If you believe you are the victim of identity theft — or have reason to believe your personal information has been misused — you should immediately contact the Federal Trade Commission or the office of the attorney general in the state where you reside. You can obtain information from these sources about steps you can take to avoid identity theft — as well as information about fraud alerts and security freezes. You should also contact your local law enforcement authorities and file a police report. Obtain a copy of the police report in case you are asked to provide copies to creditors to correct your records. Contact information for the Federal Trade Commission is as follows:
Federal Trade Commission
Consumer Response Center
600 Pennsylvania Avenue, NW
Washington, D.C. 20580
1-877-IDTHEFT 0r 1-877-438-4338
Additional information pertaining to how you can protect yourself against fraudulent activity as the result of a breach in the security of your sensitive information is provided by Kimpton Hotels & Restaurants — and as you will see by reading that information, the recovery process is not an easy one.
Closely scrutinize and review the account statements of the credit card which you used for payment; and if you detect any unauthorized charges, immediately report them to the financial institution which issued your card. Timely reporting of any nefarious activity with your card usually will ensure that you are not responsible for unauthorized charges and therefore will not be required to pay them.
To help reduce the chances of your frequent travel loyalty program account becoming compromised, consider following these steps:
- Do not use your e-mail address as your user name or identification to log into different Internet web sites
- Use a complex password and regularly update it
- Use different credentials — passwords and user names, as two examples — to log in for each of your accounts in different frequent travel loyalty programs
- Always check your account regularly
- Promptly report any potential suspicious activity
Anyone can say with absolute confidence that this will not be the last time the sensitive data of people or companies will be breached in some way; so being vigilant about protecting your information is of paramount importance — and constant and consistently acute awareness is key to that vigilance.
Again, the recovery process from the results of fraudulent activity can be quite arduous and time-consuming; so preventative measures in protecting your sensitive information from being accessed — or, at least, mitigating any further damaging activity from occurring — is preferable.
In the meantime, the team at Kimpton Hotels & Restaurants regrets any inconvenience this incident may have caused. Please call 888-339-3142 Monday through Friday between the hours of 9:00 in the morning to 8:00 in the evening Eastern time if you have questions.
Source: Kimpton Hotels & Restaurants.