Skip links

Cyberattack brings down InterContinental Hotels’ booking systems

The IT systems of InterContinental Hotels Group, the massive hospitality organization that operates 17 hotel brands around the world, have been compromised, causing ongoing disruption to the corporation’s online booking systems and other services.

IHG, which is headquartered in Denham, England, and has offices in Atlanta, Singapore, and Shanghai, said in a statement to the London Stock Exchange Tuesday that “parts [of its] technology systems have been subject to unauthorised activity.” It went on to say that its operations have been disrupted since Monday, which has left people struggle to reserve rooms online, at least.

Company officials said in the statement they are putting its response plans in motion, notifying authorities about the intrusion, and working with its technology suppliers. In addition, experts from outside of IHG also are being brought in to help with the investigation.

“IHG is working to fully restore all systems as soon as possible and to assess the nature, extent and impact of the incident,” the corp said. “We will be supporting hotel owners and operators as part of our response to the ongoing service disruption. IHG’s hotels are still able to operate and to take reservations directly.”

Attempts by The Register to book a room online via the IHG website were unsuccessful, as we repeatedly ran into a message saying the requested page was unresponsive. Clicking on links to other pages on the site were met with the same message, though some pages popped up after a few minutes of delay.

The company put a message to guests at the top of the home page informing them that “at this time, you may have challenges booking a new reservation, accessing information about your upcoming reservations and accessing your IHG One Rewards account.”

The message says the company is working to resolve the issues as quickly as possible and suggests customers with questions call the hotel directly.

IHG is a massive operation, running 6,028 hotels and 882,897 rooms in more than 100 countries. It has about 325,000 employees and included in its brands are Regent, InterContinental Hotels and Resorts, Crowne Plaza, Holiday Inn and Holiday Inn Express, Candlewood Suites, Atwell Suites, and Even Hotels.

IHG didn’t disclose whether the attack was the result of ransomware or some other malware. Threat intelligence company Hudson Rock said in a tweet that at least 15 IHG employees and 4,030 users on the internal network were compromised, according to information gathered from ihg[.]com.

This isn’t the first time IHG has been hit by a cyberattack. A network security breach in 2016 impacted the company for about three months, with IHG officials admitting in April 2017 that 1,200 hotels were affected by the intrusion. In that snafu, attackers deployed malware that accessed payment card data that was then used make fraudulent payments with cloned cards.

Three years later, IHG settled a class-lawsuit brought against it, with the amount capped at $1.55 million.

Hospitality organizations are among the top industries targeted by cybercriminals. Mews, a property management system maker, said in a blog post last year that the bookings – both online and at the front desk – and the large numbers of credit cards they process make these sorts of organizations attractive and vulnerable targets. These groups also hold a lot of traveler data, which could be useful for, say, intelligence agencies wishing to keep track of certain individuals. The types of attacks include trojans, memory scrapers, phishing, and denial of service.

Marriott Hotels in July said it had been hit by a third cyberattack in four years, with miscreants making off with 20GB of data, including credit card information and internal company documents.

Any company that is part of the larger travel ecosystem is an interesting targeted for sophisticated hacking teams, according to Aaron Turner, CTO of SaaS Protect at cybersecurity firm Vectra.

“Whether it’s an airline or a hotel chain, those companies are essentially banks,” Turner told The Register. “The rewards points that each of those companies offers their loyal customers can be used to monetize all sorts of underground internet activity. The financial controls that exist to restrict the movement of value through the use of traditional currencies often times don’t exist for rewards points.”

He said he has seen reward points used for a range of criminal enterprise monetization schemes, from casino rewards to airline upgrades to hotel loyalty points.

They’ve also been used for “virtual currencies in gaming ecosystems, even situations where health insurance promotions were used for fraudulent purposes,” he said. “Anytime value can be transferred to bypass traditional criminal currency transfer controls, criminals will focus on those value transfer systems.” ®