Cyber-attack on IHG’s hotel reservation system and mobile applications impacted; Exposes an unknown amount of data, causes an extended system crash
IHG Hotels & Resorts, the hospitality group that owns the Holiday Inn and Intercontinental brands among many others, suffered a cyberattack on the first weekend of September that impacted its central hotel reservation system and mobile apps . The hotel group continues to assess the nature and impact of the breach, but it caused a service outage that lasted several days and prevented loyalty program members from logging in and creating new reservations .
Cyberattack on major hotel brand suspected of ransomware
IHG has a total of 17 hotel brands in its portfolio, ranging from high-end to extended-stay properties. The UK-based group has more than 6,000 hotels in total in 100 countries, around half of which are located in the US.
The cyberattack was revealed to the public through a compulsory filing on the London Stock Exchange, but chatter began to appear on social media and hotel loyalty program websites on Sunday, September 4, as customers began to notice difficulties logging into the IHG hotel reservation system. and access the features of the mobile application.
IHG provided little information about the cyberattack, except to confirm that it impacted apps and the hotel reservation system. But independent cybersecurity analysts observing the situation suggest it’s likely a ransomware attack, given the prolonged outage and the fact that the company said it was working to restore its systems. An investigation by a third-party company is currently underway. IHG released a statement saying it was still able to take reservations over the phone during the service outage.
IHG confirmed one detail to reporters: This cyberattack is apparently separate from another recent ransomware incident that specifically hit a Holiday Inn location in Istanbul and was attributed to the LockBit ransomware group. IHG said Holiday Inn was a third-party franchisee and only its local systems were impacted by the previous cyberattack.
A piece of good news is that cybersecurity analysts have yet to observe data from the IHG hotel reservation system available in underground forums; if the cyberattack involved ransomware, it may not have been a “double extortion” that could also have involved the theft of customer payment information and sensitive internal business and employment documents.
The IHG hotel reservation system is unavailable to customers for an extended period
Although the cyberattack appears to have been at least partially mitigated at this point, IHG customers have received a message indicating that there may be “challenges” in booking rooms online (and suggesting that rooms should instead be reserved by phone). Some news outlets were unable to reserve rooms in the United States through the website or app until Wednesday the 7th.
Hotel reservation systems are a target of interest for malicious hackers because they often contain not only customer payment information, but also identification scans (such as driver’s licenses and passports) and financial documents from corporate accounts that regularly send staff to certain locations. Just before the Covid-19 pandemic, hackers had also shown keen interest in hotel loyalty program accounts. When these are compromised, it is often simple for attackers to convert accumulated loyalty points into easy-to-use and hard-to-trace gift cards.
Radisson suffered such a breach at the end of 2018, and attackers could return to it now that Covid-19 restrictions are easing around the world and travel is resuming.
As Chris Vaughan, AVP of Technical Account Management for EMEA and Tanium notes, “This is the latest high-profile attack to impact the hospitality industry which has been increasingly targeted in recent times… ‘IHG is grappling with this latest incident, it needs to scan all devices connected to the corporate network to find the problem ones and then take appropriate action to mitigate any further risk. This may include deploying a patch or removing certain devices from the network. The problem is that most organizations don’t have this level of visibility due to the complexity of their IT environments and the number of different tools they use. They can’t solve a problem they can’t see, so this area is vital. Another important measure that helps avoid these types of attacks is having the right corporate culture. This should prioritize cybersecurity and encourage business stakeholders to regularly work in partnership with IT operations and security professionals. You can’t always stop a sophisticated cyberattack, but by working together to maintain a good level of IT hygiene and establishing effective employee awareness training, you can certainly make it harder for attackers to succeed.
IHG made headlines several years ago for an earlier data breach, as the company was breached for three months in 2016 and the public was not notified until April 2017. Meanwhile, the attackers obtained credit card data from the hotel reservation system and the victims noticed that their cards were being used. In 2020, the company agreed to pay more than $1.5 million to settle a class action lawsuit over the issue.
Although IHG has experienced security issues of this nature with its hotel reservation system (and app), the company has seen increased profits along with the rest of the hotel industry lately as demand of “revenge trips” has supercharged during the peak seasons of 2021. and 2022. In August, the company repurchased $500 million in stock based on this strong recent performance, but its share price fell by 3% upon announcement of the violation of its hotel reservation system.
Ransomware demands from companies the size of IHG now typically run into the millions of dollars, and even if payment is made and systems are recovered, remediation costs can reasonably amount to tens of millions. John Gunn, CEO of Token, believes that this particular case will cost IHG even more (whether or not the company has paid a ransom demand): “When you consider that IHG generates revenue of approximately $8 million per day and the average business interruption from a ransomware attack is 2-4 weeks, you can see where IHG’s losses could quickly exceed $100 million, not to mention reputational damage. Hanes Brands recently revealed that it lost $100 million in revenue following a successful ransomware attack. It’s a trend that will continue as ransomware gangs prey on organizations that have the most to lose and will therefore be most likely to pay a large ransom.