O2, Kimpton Hotels Investigate Data Breach Claims
The O2 breach appears to have been caused by password reuse, while the Kimpton breach leveraged point-of-sale malware.
U.S. hotel group Kimpton Hotels & Restaurants and U.K. mobile operator O2 both recently acknowledged potential data breaches. In Kimpton's case, the attack appears to be similar to other recent point-of-sale breaches at hotel chains including Hyatt, Omni, Starwood and Hilton, while in O2's case an undisclosed number of customer accounts were exposed by password reuse.
Kimpton Hotels yesterday announced that it was "recently made aware of a report of unauthorized charges occurring on cards that were previously used legitimately at Kimpton properties."
"As soon as we learned of this, we immediately an investigation and engaged a leading security firm to provide us with support," the company stated. "We are committed to swiftly resolving this matter. In the meantime, and in line with best practice, we recommend that individuals closely monitor their payment card account statements."
Investigative reporter Brian Krebs says he contacted the hotel group on July 22 after hearing from three different financial industry sources about a pattern of fraud suggesting a credit card breach at almost two dozen Kimpton locations nationwide.
IDT911 chairman and founder Adam Levin told eSecurity Planet by email that the Kimpton breach should serve as yet another wake-up call for the hospitality industry. "Unfortunately, it would appear there is nothing five-star about the way most hotels approach data security," he said. "Deploying end-to-end encryption, adding layered security, aggressively and thoroughly training employees and constantly monitoring and testing payment systems will help keep organizations, especially those in the hospitality industry, one step ahead of cybercriminals."
Separately, BBC News reports that O2 customer data, including phone numbers, email addresses, passwords and birthdates, is being sold online. The company itself wasn't hacked, though -- the user names and passwords leveraged to access the O2 accounts were reused from the gaming website XSplit, which was hacked three years ago.
Travis Smith, senior security research engineer at Tripwire, noted by email that password reuse can cripple even the most secure systems. "Using authentic credentials rather than attempting to leverage exploits is less risky for the attacker, as security tools are more likely to detect an active exploit," he said. "Since passwords are commonly reused across websites, stolen credentials from one breach are often used across other sites."
“End users should leverage password managers to create unique and complex passwords for every website they have an account on," Smith added. "If available, two factor authentication is an additional step to reduce the likelihood of an attacker gaining access to your account."
A recent eSecurity Planet article looked at 10 top password management solutions.
Photo courtesy of Shutterstock.