Kimpton Hotels confirms data breach

Kimpton confirmed an investigation had found a malware attack on servers.

Boutique hotel operator Kimpton, which is part of InterContinental Hotels Group, confirmed that an investigation found a malware attack on servers that processed payment cards used at some of its hotels. The company launched a probe after it was informed in July of “unauthorized charges occurring on payment cards after they had been used by guests at the restaurant in one of our hotels.”

Kimpton said that the malware installed was designed to track card number, cardholder name, expiration date and internal verification code. The incident involved cards used between Feb. 16 and July 7 at some of its properties, Kimpton said.

“Hotels, airlines and car-rental agencies need to stop kidding themselves, learn from other industries, and make cybersecurity a priority. Point-of-sale-based malware has driven most of the credit card breaches across so many industries already,” Shane Stevens, a director at VASCO Data Security, told Dark Reading. “As organizations address this point-of-sale issue, fraudsters are already looking at which attack vectors to hit in mobile. Their service providers shouldn’t create digital keys and other mobile conveniences until they can better protect their client companies and consumer customers across all channels.”

Virtual Event

Hotel Optimization Part 3 | Available On Demand

With 2020 behind us and widespread vaccine distribution on the horizon, the second half of the new year is looking up, but for Q1 (and most likely well into Q2) we’re very much still in the thick of what has undeniably been the lowest point of the pandemic. What can you be doing now to power through and set yourself up for a prosperous 2021 and beyond? Join us at Part 3 of Hotel Optimization – A Virtual Event, now available on demand, for expert panels focused on getting you back to profitability.


The company has published a list of the affected properties on its website.

This is the latest confirmed breach in a year full of acknowledged breaches: HEI Hotels and Resorts, Millennium Hotels & Resorts North America, the Hard Rock Hotel & Casino in Las Vegas (twice), Trump Hotels (twice), Golden Nugget hotels, Mandarin Oriental, Omni Hotels, Rosen Hotels & Resorts and White Lodging. Just last week Hutton Hotel confirmed a breach that lasted nearly four years.