It’s no secret that I’m a big fan of Kimpton Hotels and Restaurants. Simply put, they get it. If there’s a Kimpton property in a city I’m traveling to, I’m going to make every effort to stay there. You may have heard that the boutique chain experienced a major card fraud issue earlier this year. I first learned about the Kimpton card fraud issue at Krebs on Security.
Kimpton has added a link to details about the issue on its home page. The information appears to have been updated yesterday (August 31, 2016). Here’s an excerpt.
Kimpton Hotels & Restaurants received a report on July 15, 2016 of unauthorized charges occurring on payment cards after they had been used by guests at the restaurant in one of our hotels. We immediately began to investigate the report and hired leading cyber security firms to examine our payment card processing system. Findings from the investigation show that malware was installed on servers that processed payment cards used at the restaurants and front desks of some of our hotels. The malware searched for track data read from the magnetic stripe (emphasis mine) of a payment card as it was being routed through the affected server. The malware primarily found track data that contained the card number, expiration date, and internal verification code, but in a small number of instances it may have found the track that also contains the cardholder name.
You can read the information in its entirety on their website. Kimpton did something else that prompted to me to write this post. They actually provided a list of the properties that were impacted and the date ranges involved.
First, kudos to Kimpton for getting this information out there. Kimpton’s guests can make informed decisions based on their past stays. Personally, I stayed at three of the affected hotels. I’m not “worried” about it, but I will keep an eye on my card account to see if any unauthorized charges show up. My primary business travel card has already been swapped out once this year. Hopefully that won’t need to happen again, but it is what it is.
Most importantly, I have to wonder just how many more of these kinds of incidents have to happen before hotels and restaurants upgrade their card payment systems to accept EMV chip cards and contactless payments. I’m sure contactless might be a challenge, but apparently Marriott is working on accepting Apple Pay and perhaps other contactless payments. As for credit cards, while no solution is perfect, I can’t help but think that EMV chip card acceptance might have made this situation less of a problem. In my personal experience, EMV chip card acceptance is finally starting to catch on to the point that a noticeable number of my card transactions are chip-based. The big exception here in the USA – restaurants and hotels. That needs to change.
The bottom line – while the best thing is for these kinds of fraud issues to be prevented, I like Kimpton’s approach to getting information on what happened to its guests. If you’ve stayed at one of the impacted properties, it is a good idea to keep an eye your card statements and report any suspicious charges immediately.
I’ll be back on the road next week, and yes, I’ll be staying with Kimpton.
-MJ, September 1, 2016