Hotel group IHG confirms cyber attack after two-day outage

UK-based hospitality multinational IHG, the operator of hotel chains such as Crowne Plaza, Holiday Inn, Intercontinental and Kimpton, among many others, has confirmed it has been targeted by an as-yet unknown threat actor in an ongoing cyber attack.

According to hospitality sector website LoyaltyLobby, which was among the first to pick up on whispers of a developing incident, a systems outage started at approximately 9pm EST on Sunday 4 September (2am GMT on Monday 5 September), leaving guests unable to access their loyalty scheme accounts, search for hotels, view or modify existing bookings, or make new ones.

At the time of writing, the outage is ongoing, with IHG’s main bookings page accessible to view, but warning guests that they “may have challenges” when it comes to making reservations.

In a statement to the London Stock Exchange, IHG said parts of its technology systems had been subject to unauthorised activity, and confirmed that its booking channels and other applications were “significantly disrupted”.

“IHG has implemented its response plans, is notifying relevant regulatory authorities and is working closely with its technology suppliers,” said the company. “External specialists have also been engaged to investigate the incident.

“IHG is working to fully restore all systems as soon as possible and to assess the nature, extent and impact of the incident,” it said. “We will be supporting hotel owners and operators as part of our response to the ongoing service disruption. IHG’s hotels are still able to operate and to take reservations directly. A further update will be provided as and when appropriate.”

The precise nature of the incident remains unconfirmed, although naturally there has already been widespread speculation that IHG has fallen victim to a ransomware attack. Note that a single IHG property, a Holiday Inn in Istanbul, Turkey, was hit by a LockBit ransomware attack in August 2022, although no connection necessarily exists.

Cyber intelligence analyst Hudson Rock claimed in a tweet that IHG had at least 15 compromised employees and 4,030 compromised users.

Thanks in part to the valuable nature of the data they hold on guests, such as passport numbers and other articles of personally identifiable information, hotel operators are lucrative targets for organised cyber criminal gangs, who will be well aware that such organisations will be more motivated to cooperate – or give in to extortion attempts – to prevent this data being leaked.

Sector giant Marriott International has been on the receiving end of multiple attacks in recent years – most recently in July 2022 at a US property in Baltimore, Maryland – while a previous incident at its Starwood chain dating back to 2014 saw it receive one of the largest fines levied to date in the UK under the General Data Protection Regulation, although this was later slashed by over 80%.

Nor has IHG itself been immune. An autumn 2016 incident saw the credit card information of thousands of guests stolen in a malware attack that hit approximately 1,200 hotels in the US and Puerto Rico.

In this attack, the malware hijacked data including cardholder names, card numbers, expiry dates and verification codes read from the cards’ magnetic stripe as it was being routed through the affected hotels’ servers.