IHG Hotels & Resorts, the hotel group that owns the Holiday Inn and Intercontinental brands among numerous others, suffered a cyber attack on the first weekend of September that impacted its central hotel booking system and mobile apps. The hotel group continues to assess the nature extent and impact of the breach, but it caused a service outage that lasted for several days and prevented loyalty program members from logging in and creating new bookings.
Cyber attack on leading hotel brand suspected to be ransomware
IHG has 17 total hotel brands in its portfolio, ranging from upscale to extended stay properties. The UK-based group has over 6,000 total hotels across 100 countries, about half of those located in the United States.
The cyber attack was revealed to the public by way of a mandatory London Stock Exchange filing, but chatter began to appear on social media and hotel loyalty program websites on Sunday, September 4 as guests began to notice difficulties logging in to the IHG hotel booking system and accessing mobile app features.
IHG has provided little information on the cyber attack, save to confirm that it impacted apps and the hotel booking system. But independent cybersecurity analysts observing the situation suggest that it is a likely ransomware attack, given the extended outage and that the company has said that it is working to restore its systems. An investigation by a third-party firm is currently underway. IHG issued a statement saying that it was still able to take bookings by phone during the service outage.
IHG did confirm one detail to reporters: this cyber attack is apparently separate from another recent ransomware incident that specifically impacted one Holiday Inn location in Istanbul, and was attributed to the LockBit ransomware group. IHG said that Holiday Inn was a third-party franchisee and that only its local systems were hit by the prior cyber attack.
One small piece of good news is that cyber security analysts have not observed data from the IHG hotel booking system up for offer on underground forums as of yet; if the cyber attack involved ransomware, it may not have been of the “double extortion” variety that also might have involved the theft of customer payment information and sensitive internal business and employment documents.
IHG hotel booking system unavailable to customers for extended period
Though the cyber attack appears to have been at least partially mitigated at this point, IHG guests have been getting a message indicating that there may be “challenges” in booking rooms online (and suggesting that rooms be booked by phone instead). Some news outlets were unable to book rooms at United States locations via the website or app as late as Wednesday the 7th.
Hotel booking systems are a target of interest for malicious hackers as they often contain not just customer payment information, but scans of identification (such as driver’s licenses and passports) and financial documents from corporate accounts that regularly put staff up at certain locations. Just prior to the Covid-19 pandemic, hackers had also shown a strong interest in hotel loyalty program accounts. When these are compromised, it is often simple for attackers to convert accrued loyalty points to gift cards that are easy to abscond with and hard to trace.
Radisson suffered just such a breach in late 2018, and attackers may be shifting focus back to this now that Covid-19 restrictions are easing around the world and travel is picking back up.
As Chris Vaughan, AVP of Technical Account Management for EMEA and Tanium, notes: “This is the latest high-profile attack to impact the hotel sector which has been increasingly targeted in recent times … As IHG grapples with this latest incident, it needs to analyze all the devices connected to the corporate network to find any problematic ones and then take appropriate action to mitigate any further risk. This could include rolling out a patch or removing certain devices from the network. The problem is, most organizations do not have this level of visibility due to the complexity of their IT environments and the number of different tools that they are using. They can’t fix an issue that they can’t see, so this area is vital. Another important measure that helps to avoid these types of attacks is having the right company culture. This should prioritize cybersecurity and encourage business stakeholders to work regularly in partnership with IT operations and security professionals. You can’t always stop a sophisticated cyber-attack, but by working together to maintain a good standard of IT hygiene and establishing effective employee awareness training you can certainly make it more difficult for the attackers to be successful.”
IHG made news several years ago for a prior data breach, as the company was penetrated for three months in 2016 and the public was not notified until April 2017. During that time, attackers obtained credit card data from the hotel booking system and victims noticed that their cards were being used. In 2020 the company agreed to pay over $1.5 million to settle a class action lawsuit over the issue.
Though IHG has had some security hiccups of this nature with its hotel booking system (and app), the company has enjoyed rising profits along with the rest of the hotel industry as of late as “revenge travel” supercharged demand in the peak seasons of 2021 and 2022. In August the company bought back $500 million in stock based on this strong recent performance, but its share price dropped 3% on news of its hotel booking system breach.
Ransomware demands on companies of the size of IHG are now generally well into the millions of dollars, and even if payment is made and systems are recovered the remediation costs realistically can be expected to be in the tens of millions. John Gunn, CEO of Token, thinks that this particular case will be even more expensive for IHG (whether or not the company paid a ransom demand): “When you consider that IHG generates revenue of about $8 million per day and the average business interruption from a ransomware attack is 2-4 weeks, you can see where IHG’s losses could quickly surpass $100 million, not to mention the reputational damage. Hanes Brands recently disclosed that they lost $100 million in revenue from a successful ransomware attack. This is a trend that will continue as ransomware gangs go after organizations that have the most to lose and will therefore be the most likely to pay a large ransom.”