Three More Hotel Chain Credit Card Breaches

This is getting a bit crazy.  I am thinking about paying cash next time I stay at a hotel.

UPDATE:  The Hutton breach is tied to another breach from last week, HEI Hotels.  The Hutton is managed by HEI.  HEI also manages hotels for Intercontinental, which owns Kimpton.

Also, Noble, which owns Ocean Key, below, is now saying that 10 of its properties were breached, not just the Ocean Key, from Florida to Seattle.

First comes Ocean Key Resort and Spa.  One more time, the hotel did not know that they had been breached until the Secret Service came knocking on the CEO’s door and ruined his day.

They seem to have discovered it pretty quickly – which means, since Ocean Key didn’t know about the breach at all, that the hackers were actively using the cards that they stole.  The time window for the breach was April 26, 2016 to June 8, 2016 – about 6 weeks, but remember that short time window was likely due to the fact that the hackers were actively using the stolen cards and it became easier to figure out the common denominator.

In this breach they are saying that both restaurant and hotel credit card users are at risk – likely because of a common credit card system or lack of isolation between two systems.

The second hotel chain announcing that they have joined the club of hotels that have been breached is the Kimpton chain.  For them, about 50 properties were affected including properties from coast to coast.

Kimpton heard about the breach on July 15th – they did not say how – and started investigating.  The breach ran from February 16 to July 7, 2016, so this one ran longer than the first – about 5 months vs. 6 weeks, but neither of them take the prize; that is reserved for the last hotel in the trio.

Again, the breach affected both front desk and restaurant computers.  I am not sure why we are starting to see the front desk affected more of the time than we were seeing before.

In both of these cases, for many users, they do not have the name of the card owner in order to notify them, so they will not be notifying you.

This means that you are responsible for checking your payment card charges.  Depending on the type of card, you typically have up to 60 days to notify the bank of fraudulent charges by law.  If you notify them after that, it is up to the bank if they want to credit you or not.

The last entry into the club of breached hotels is, in my opinion, the winner.  It is the Hutton Hotel in Nashville.  Their breach also affected both the front desk and the restaurants, but the length of the breach is the breathtaking part.    The food and beverage breach ran from September 19, 2012 to April 16, 2015 or about 30 months.  The front desk breach ran from September 2012 to January 2015 but was reinfected between August 2015 and June 2016 or almost 40 months.

The Hutton breach was a little different in that the hackers were able, apparently, to capture the cardholder’s name as well as the card info;  that may allow them to notify cardholders.

Hutton also said that the breach affected everyone who used a card to reserve rooms or pay their room bill may be affected.

The common theme here is that point of sale systems appear to be way too soft a target for hackers to ignore.

This also means that if you run a POS system, that cyber breach insurance is probably a smart purchase, but make sure that the insurance covers events that started before you bought the insurance.  Given that the Hutton breach was active for almost 4 years, if they bought insurance three years ago, but it didn’t cover exists breaches, they would not get reimbursed.

It also means that you should be asking a lot of questions regarding how your vendor is protecting you and what liability they have if the system is breached.  If the answer is that they are not liable, I would start looking for another vendor.

Information for the Ocean Key breach came from

Information on the Kimpton Hotels breach came from Kimpton’s web site.

Information on the Hutton breach came from Softpedia.



Leave a Reply

Your email address will not be published. Required fields are marked *