September 1, 2016

Kimpton Hotels on Wednesday formally acknowledged that malware found on payment terminals in many of its hotels and restaurants may have compromised credit/debit cards of guests who patronized the properties in the first half of this year. The disclosure comes more than a month after KrebsOnSecurity first contacted to the company about a possible credit card breach across most of its locations.

kimptonAccording to a notice added to the Kimpton Web site, the incident involved cards used at certain restaurants and hotel front desks from February 16, 2016 to July 7, 2016. Kimpton has posted a list of more than 60 restaurants and hotels where the company found and removed card-stealing malicious software from payment terminals.

Kimpton joins a long list of hotel brands that have acknowledged card breaches over the last year after prompting by KrebsOnSecurity, including Trump Hotels (twice), Hilton, Mandarin Oriental, and White Lodging (twice). Breaches also have hit hospitality chains Starwood Hotels and Hyatt.

In many of those incidents, thieves had planted malicious software on the point-of-sale devices at restaurants and bars inside of the hotel chains. However, the source and extent of the apparent breach at Kimpton properties is still unknown.

Point-of-sale based malware has driven most of the credit card breaches over the past two years, including intrusions at Target and Home Depot, as well as breaches at a slew of point-of-sale vendors. The malware usually is installed via hacked remote administration tools. Once the attackers have their malware loaded onto the point-of-sale devices, they can remotely capture data from each card swiped at that cash register.

Thieves can then sell the data to crooks who specialize in encoding the stolen data onto any card with a magnetic stripe, and using the cards to buy gift cards and high-priced goods from big-box stores like Target and Best Buy.

Readers should remember that they’re not liable for fraudulent charges on their credit or debit cards, but they still have to report the unauthorized transactions. There is no substitute for keeping a close eye on your card statements. Also, consider using credit cards instead of debit cards; having your checking account emptied of cash while your bank sorts out the situation can be a hassle and lead to secondary problems (bounced checks, for instance).

50 thoughts on “Kimpton Hotels Acknowledges Data Breach

  1. Jerry

    The investigation likely started with your notification. Many have preventive controls , like firewalls, and few if any detective controls.

  2. Eric

    Do we have a sense of how many of these hotel breaches are really a result of the problems at Micros/Oracle?

    1. BrianKrebs Post author

      Kimpton finally got back to me about that question, and they said they do not believe it’s related to the Oracle intrusion.

      1. Great_Midwest

        They give away way too much info about their infrastructure in this job listing, a common snafu in the IT community. They are a Micros\Opera AND Synxis customer. Synxis is from Sabre\preffered hotels and interfaces hotel property websites with their Opera installation for online reservations and payments, could also be a common point of breach because Synxis is used by the vast majority of hotel properties, and as of now an under leveraged attack vector:

  3. Danell

    Any word on the type of malware used and how the criminals first implanted it? (physical access?)

    1. Chris

      Considering the geographic diversity of the compromise, I would guess it was not a physical breach. Unless the initial breach was via physical access which created a back door so the malware could be remotely installed.

    2. Bill

      You will NEVER get these players to reveal any details as to how they were compromised.

      Take a look at iSIGHT Partners presentation on MoDPOS from late last year, unlikely this variant but most of these breaches follow a similar path.

  4. Scott Schober

    Brian- great that you are prompting them or they likely would cover it up.

    Interesting the pattern here…..I wonder how many other hotels POS have been hit with malware that we have not heard about yet?

    thanks for great reporting !
    Scott Schober
    Author Hacked Again

  5. Pete

    “Once the attackers have their malware loaded onto the point-of-sale devices, they can remotely capture data from each card swiped at that cash register.”

    This is not necessarily a true statement. The fact is, if a retailer deploys P2Pe they could foil most any malware attack focused on cardholder data. Ironically, most retailers, and the authorization industry, have put little emphasis on P2Pe, which in itself is a very great mystery to me.

    I often notice how a breached retailer will quickly deploy P2Pe, soon after a breach occurs, in the CIO and CEO or fired.

    1. Dave

      I’ll readily admit I’m not an expert on PCI/PCPE and the like, but what little I’ve read up on the subject doesn’t demonstrate how these technologies prevent an attacker from extracting the PII from the memory of the PoS device.

      Thanks to Wikipedia:

      “After a credit card is swiped through a P2PE PCI certified card reading device at the merchant location or point of sale, the device immediately encrypts the card information.”

      So… the malware is running on the PoS, not in front of it or somewhere in the network flow. It has complete control of all peripherals and I/O coming in and our of the device, and can read any memory locations. It is running as root/SYSTEM in RING 0, and so sees the card data unencrypted BEFORE the device “immediately encrypts” it. How does being “certified” prevent this?

      As an example point-of-reference, I’ll direct you to Barnaby Jack’s (RIP Barnes) excellent work on “Jackpotting ATM’s”. He was able to create arbitrary malware that took complete control of the ATM system, including hijacking the card reader O/I.

      Until PoS vendors start actually HARDENING their PoS devices (write secure code, patch vulnerabilities, use only signed binaries, etc), this will keep happening.

      1. Phisher King

        I think you are correct on both counts and I do wonder why the PCI audit police have not stamped all over the PoS vendors already and sued a few out of existence.
        Maybe Brian can drop a courtesy call to EMV and suggest they consider taking steps to actually fix the problem?

      2. bigmacbear

        As I understand it, certified P2PE card readers/PIN pads are separate components from the PoS terminal (i.e. cash register) itself. The latter is often saddled with Windows XP Embedded which is subject to all sorts of malware.

        The problem then becomes one of insuring the integrity of the firmware on the certified device. If the card reader/PIN pad firmware cannot be updated from the PoS terminal, but must be updated by physical access to the device, you’re very far ahead.

        1. enthusiast

          p2p2 is not deployed in mass for a few reasons. First lets define p2pe, as some people have different definitions. Visa considers encryption at the swipe p2pe, regardless of who owns the key. If the merchant owns the key, they commonly decrypt at the payment switch, so they can authorize their own credit cards, or take advantage of different rates. This reduces CDE scope, but means merchants can still lose credit cards if the crooks get their hands on those keys, or get control of the switch. Others in the industry only want to see where e2ee, where the encryption by hardware at the swipe uses a key the merchant doesn’t even have – only the processor can. You can’t lose what you don’t “have”.

          Anyways, you need card readers which can do the encryption. Not everyone has them. You also need point of sale applications which can work with encrypted card data (using format preserving encryption helps ease this burden). So you need software/integration. And if you’re doing E2ee, you can’t even see that card data, so you feel beholden to the processor. Who by the way charges more for these types of transactions. All comes back to cost…

      3. Bruce

        Point-to-point encryption (P2PE) is a specific Point of Interaction (POI) implementation. The card reader encrypts the card number and PIN using the card processor’s keys on the device and sends the data encrypted over the merchant’s network (and Internet) to the card processor.

        What you are thinking of is a Payment Application where the card is swiped within the application and handled by the application. The Oracle/Micros breach is along these lines.

  6. UXGuest

    Very interesting. I recently (July) stayed at a Kimpton hotel and afterward noticed a strange charge on my card by the hotel, in addition to my room and deposit hold. Reported it to my bank and they sorted it out but never heard an explanation.

    1. K

      A charge from the hotel would not likely be because of or any indication of a data breach. Hackers steal card data to steal identities, create fraudulent cards using your cardholder data, and other means of charging fraudulent charges to you. It would not likely show up as a charge from an establishment that you legitimately did business with.

    1. Bill

      As much as I loath Oracle and wish them the worst, it is not their fault.

      It is more a lack of fundamental network security.
      *default usernames, passwords, or both
      *Lack of physical layer segmentation
      *Lack of P2PE
      *EOL OS (XP, 2000, 2003)
      *Lack of patch managment
      *Lack of training for staff

      The retail and hospitality industry as a whole is asleep at the wheel when it comes to these things, I expect many more to fall.

  7. Robert.Walter

    6 weeks after last breech to inform? Wonder if they planned to sit on this. Any jurisdiction have shorter disclosure requirements?

  8. Credit Union Fraud Dept

    Well I stayed at a Washington DC Kimpton in July and ate in the restaurant but luckily they didn’t swipe my card – I charged it to my room. I’m guessing that even though I booked through Expedia I may expect issues..

    1. B_Brodie

      Expedia uses CC ‘tokens’ so that the client never sees your card number – you’re probably safe as long as you never presented your card at the hotel.

      1. Phisher King

        Doesn’t every hotel swipe your card when you first check-in, irrespective of how you did the initial booking?

        1. CW

          Yes, I think you’re absolutely right. The hotel requires a card, in case you decide to empty the refrigerator of the tasty little bottles of liquor, for the cheap price of $8-10/bottle! But in all seriousness, I think they do get a credit card from you, for any possible “incidentals” or damage that may occur.

          1. James

            Every hotel does require a major credit card or a bank card for those ‘incidents’ that may or may not happen. I have stayed in plenty of different hotel chains and that is the standard.

            1. Heiko

              Hi James,

              you’re right, unless your employer has a working relationship with the hotel / hotel-chain and they know the bill is going to be paid. I had that for many years with my former job.

              As a side note: I did stay in the Kimpton Palomar in DC in June. and had to present my card on the front desk. Early in July I got a new card from my credit card company. The only statement was “your card data has been spotted with criminals as stolen” and therefore they closed the card and issued a new one to me.

  9. Unofficial PCI Blog

    It does seem like quite a coincidence following the Oracle Micros breach, especially when the extent of said breach is still unknown (outside of the customer portal). Frankly, I’m surprised that more merchants haven’t moved towards P2PE/E2EE solutions that entirely remove clear text data within their environment. I do think that P2PE/E2EE solutions will be the future of the ever-evolving PCI DSS standard.

    1. Bob

      I believe cost is the biggest reason more merchants don’t use P2PE is the transaction cost. I seem to remember someone mentioning that the cost for a P2PE transaction is about triple the cost of a non-P2PE transaction.
      As long as the cost of NOT doing P2PE is less than the cost of doing P2PE, most merchants won’t do it.

      1. enthusiast

        Triple seems high.. Are they baking into that some of the front loaded costs of upgrading your hardware and software to support the P2PE process?

        1. Bob

          I don’t know the details. I believe the subject was brought up in the comments to another one of Brian’s posts, but I’m afraid I don’t remember which one it was. I know I was very surprised. It sounded like someone trying to take advantage of a monopoly position.

    1. James

      The terminology in this article suggests it only affected magnetic swipes. Chip tech is a lot more secure to the fact it uses random numbers, characters, and letters to represent your credit card, or bank card. No string is the same every-time you use the the card with the chip (has to be used as a chip transaction though, no swiping at all) on each and separate transaction.

  10. andy

    Clinton email server up and running at Clinton Executive Services Corp(CESC)…they never shut it down

  11. Mike

    I’m not exactly certain how a PoS system works, network-wise. However, I’d guess that either the Points all talk to an in-building server that then talks to the outside world or each point talks to the outside world. Somewhere, there could be a simpler solution. If traffic uses specified ports AND not common ports, then using firewall rules, traffic can be restricted.

    If each PoS has it’s own IP (I doubt this is how they talk, but I don’t actually know how PoS’s are set up), then that IP is allowed out to the outside world on only a few specific ports and only to the required address range, etc. If actual PoS systems are set up differently, the idea can apply where needed. If I remember correctly when I was cashiering and things would go down, the PoS connection was an infrastructure separate from other connections. The same goes for servers. Certain traffic (as labeled by port #’s and internal IP’s) should be very restricted.

    Another helpful thing is that we don’t let employees use the servers to web-browse on their breaks.

    1. SeymourB

      I don’t know in this instance, but from what I remember about the Target breach the POS systems were not allowed to talk directly to internet, so they compromised a system that could talk to the internet and made a series of hops of compromised systems to reach the POS terminals, which is the path the data took to get from the terminals and out to the internet.

      You can block direct communicatino on the POS systems, lock it down to just authorized external communication, but if there’s one system that can talk to them that can talk to the internet and can be compromised, they’ll get the data out through it.

  12. Bruce

    Fun aside: I was attending PCI training at a Kimpton hotel where Kreb’s broke this story. Interesting how the class’s instructor couldn’t get to via the hotel’s wifi… If you can’t face the truth, hide it!

    1. BIll

      @Bruce try /r/conspiracy you might gain more traction there.

      Klimpton like every other hotel out there outsources HSIA to a 3rd party, in this case, I believe 11Wireless. Good friggen luck getting them to blacklist a site in a timely fashion.

      1. Bruce

        No conspiracy – just an odd coincidence shared with a touch of hyperbole.

  13. angla gaitan

    Creative comments ! I loved the specifics ! Does anyone know if my assistant can find a fillable SSA-11-BK form to complete ?

  14. clint

    Usa and russia work together! 2. Near future usa and rusia will become union . New name will be AMERUSS. All that fraud is neccesary to rise funds for new union. Money is rised by Fed. Federal reserve same people who run both. Russia and usa. Everything is related usa allready do construction projects in siberia money is from usa citozens. Debt what the tax payers will pay. All serious carding forums are run by secret service escrow service provider underground carding game is ex military kgb fsb official. As we know ninja stells escrow service providers as forums admins are highly educated persons. They work together with secret service. Regular common people can know that all that our world is corrupted and dirty. Yes… but they cant to nothing about it. Thats why world elite not bother to block conspiracy videos content on youtube. Becouse nobody dont care anyways and people even dont believe. MATURITY OF PEOPLE DONT CARE ALL THEY CARE IS only that they have food on the table booze drugs and lust. The very few people who will undestood this will be so exited about this that they will take advance of this system. Even if you read this all even if tgere is facts exposed about world leaders and elite the people who dont undestood will still look at like monkey will look computer. So nothing to do world existing like this couse of our own ingmorance. We let our lifes to be guided by other humen beeings who we think are our gods?? They ecisting couse all people believe that. VERY FEW PEOPLE WHO FIND SYSTEM IS NOT FAIR THEY WILL START fight against they become criminals and revolutionares.but after they will be ones who will be the ones who will support the same system what they first fight against….like wise everything work reverse… EVEN IF YOU READ ALL THIS and you not prepared to undestood. You not gona undstood nothing. But once you start asking questions then u know u are on the right path.

  15. nck

    If ur mind not ready for this then u not gona follow or undestood this order to reach undestunding u nedd experinces with enought education .

    1. Patty Cake

      You and clint sound like the same person vis a vis the conspiracy thing. You also both kind of sound like you are Americans trying to sound Slavic.

  16. Apexian

    Hi Brian
    Whether the this sort of breach occured while swiping the card in the bank-installed POS machine or the Cash Register (which i presume is also called POS). If it is latter why banks should continue to permit swiping of the card by merchants just to facilitate in-house functions of merchants and expose their customers to risk. Who bears the loss in these cases. Would be glad if you can enlighten me on this (may be trivial).

  17. Andreas

    They sat on it for 2 months. Their reaction has shown not an ounce of responsibility or contrition – just legalese defensiveness and the fool’s gold of a “free year of credit monitoring,” which could be a marketing giveaway by the monitoring service.

    Staying at Kimpton after they have so clearly shown their disdain for customers this way isn’t merely ill advised, it’s being a sucker.

Comments are closed.