Kimpton Confirms Credit Card Info Stolen From More Than 60 Hotels

In July, boutique hotel chain Kimpton revealed it was investigating indications that its credit card payment system had possibly been the latest to fall victim to a data breach. Now the company has confirmed the bad news, announcing that the payment terminals at dozens of Kimpton hotels, restaurants and bars were compromised for nearly six months.

In an announcement posted on the Kimpton website yesterday, the San Francisco-based company writes that it first learned in mid-July of a series of unauthorized credit card charges on accounts belonging to people who had stayed at Kimpton hotels in recent months.

The subsequent investigation confirmed that cybercriminals had installed malware on servers that processed payment cards used at the restaurants and front desks of more than 60 Kimpton hotels. The company has provided a full list of affected properties here, along with the dates during which each location’s payment systems were compromised.

The breach appears to have begun in Feb. 2016. In some locations, particularly restaurants and bars, the problem lasted as briefly as a few weeks, while a number of hotels were affected by the breach for up to five months.

According to Kimpton, the malware collected card numbers, expiration date, and internal verification codes. The cardholder’s name may also have been compromised, in a “small number of instances.”

Kimpton says that customers who used their cards during the relevant dates, and for whom the company has contact info, will soon receive written notification of the incident.

As KrebsOnSecurity.com — the site that first broke the news about Kimpton — correctly points out, you have no liability for fraudulent transactions on your credit cards, so long as you alert your card issuer to the questionable transaction within a reasonable window of time.

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.