The Hutton Hotel in Nashville, Tennessee and the Kimpton hotel and restaurant chain both recently acknowledged that their guests’ payment card information may have been accessed as a result of separate cyber attacks.
The Hutton Hotel says it engaged a third-party cyber security firm after it was notified of a possible breach by its payment processor. The investigation found that malware designed to capture card data had been installed on the hotel’s payment processing system.
The malware may have captured the names, card numbers, expiration dates and verification codes of guests who used payment cards to pay for or place hotel reservations between September 19, 2012 and April 16, 2015, or who used payment cards to make purchases at food and beverage outlets at the hotel between September 19, 2012 and January 15, 2015, and from August 12, 2015 to June 10, 2016.
“Hutton Hotel has implemented enhnaced security measures, including the use of standalone payment processing devices, to prevent any further unauthorized access to payment card data,” the hotel stated in a notice on its website. “We also notified law enforcement and will continue to support their investigation. In addition, we are working closely with the payment card companies to identify potentially affected cards so that the card issuers can be made aware and initiate heightened monitoring on those accounts. For those guests that we can identify as having used their payment card during the at-risk window and for whom we have a mailing address or email address, we will be mailing a letter or sending an email to them.”
Separately, Kimpton Hotels & Restaurants recently announced that malware was found on the servers that processed payment cards used at the restaurants and front desks of some of its hotels. The company was first alerted to the breach by investigate reporter Brian Krebs on July 22, and acknowleged the potential breach soon after.
The malware was designed to capture payment card numbers, expiration dates and verification codes, and may also have captured cardholder names.
Anyone who used their payment cards at specific Kimpton restaurants and hotel front desks between February 16, 2016 and July 7, 2016 may be affected. A full list of affected locations can be viewed here.
TopSpin Security CEO Doron Kolton told eSecurity Planet by email that the most concerning aspect of the breach is that the malware wasn’t caught sooner. “Time and time again we see PoS systems and payment terminals of retailers and hospitality groups become infected with a malware that affects their guests,” he said. “This is an example of a company not having a robust offensive plan in place to actively and constantly monitor and stop malware that may have penetrated its network before it can get to the customer.”
And VASCO Data Security director of omni-channel identity and trust solutions Shane Stevens said by email that other companies in the travel industry need to be aware that they’re being targeted by cyber criminals. “Hotels, airlines and car rental agencies need to stop kidding themselves, learn from other industries, and make cyber security a priority,” he said.
“Trust is an absolute must in order to build and maintain loyal customers,” Stevens added. “The journey starts with understanding and leveraging the advancements in anti-fraud technology that can both amplify the customer experience and protect the financial lives of current customers and future ones yet to come.”
A recent DEFCON talk by Rapid7 senior security engineer Weston Hecker discussed significant vulnerabilities in hotel keys and point of sale systems.