Cyber Incident Victim: Kimpton Hotels and Restaurants

Kimpton Hotels publicly confirmed a data breach involving malware on payment systems across numerous properties following an inquiry by KrebsOnSecurity in mid-2016. The compromise spanned February 16 to July 7, 2016, affecting credit and debit cards processed at front desks and restaurants within over 60 listed hotel and dining locations. Malicious software designed to capture payment card data was identified and removed from point-of-sale (POS) terminals during this period, though the origin and full scope of the intrusion remained undetermined at the time of disclosure. The breach followed a pattern observed in prior retail compromises, including major incidents at Target and Home Depot, where POS malware facilitated large-scale card data theft. Kimpton’s formal acknowledgment occurred more than a month after initial external contact regarding suspicious activity, with the company publishing affected location details on its website to inform customers.

The malware operated by harvesting card information directly from compromised POS devices, likely installed through unauthorized access to remote administration tools. Stolen data could be sold to criminal networks for encoding counterfeit magnetic stripe cards, often used to purchase high-value merchandise or gift cards from retail chains. While Kimpton eliminated the malicious software from its systems by July 2016, the investigation did not publicly identify the attackers or confirm the total number of compromised cards. The company advised customers to review account statements for unauthorized transactions, noting standard protections against fraudulent charges under federal law. No additional technical specifics regarding malware variants, data exfiltration methods, or internal detection processes were disclosed in the available public statement. The incident underscored persistent vulnerabilities in hospitality sector payment environments despite widespread industry awareness of POS-targeting threats.