InterContinental Hotels — one of the biggest hotel groups in the world — recently revealed its systems have been “significantly disrupted” after being hit by a large-scale cyberattack.
Due to the breach, the hotel group, which owns other major brands like Holiday Inn, Crowne Plaza, and Regent Hotels, hasn't been able to accept online bookings for over three days in any of its 6,000+ global locations.
With the hospitality industry being one of the least likely business sectors to prioritize cybersecurity spending, this hack should stand as a cautionary tale to unprepared hoteliers.
InterContinental Confirms Cyberattack after Two-Day Outage
If you've tried to book a hotel room with InterContinental Hotels over the last few days, you would have been faced with an “error occurred, please try again later” message, before being kindly asked to make a reservation via phone or email.
According to a statement released by the hotel group (also known as IHG), the breach was caused by a threat actor gaining unauthorized access to its network.
“IHG is working to fully restore all systems as soon as possible and to assess the nature, extent and impact of the incident.” – Statement by IHG Hotels & Resorts
The company admitted that the disruption was ongoing, and all booking channels and other applications had been down since Monday, however IHG hotels are still able to take reservations directly. External specialists are currently investigating the incident.
Details about the incident have not been released, so it's unclear what kind of cyberattack took place, and whether any private customer data was compromised. Despite this ambiguity, many experts suspect ransomware may be the cause due to the company's commitment to restoring impacted systems.
Unfortunately for the hotel group, this isn't its first encounter with the cyber underworld. In 2017, the chain was the target of a three-month security breach that impacted more than 1,200 US hotels.
With IHG being the subject of two major attacks in the last five years, it's clear that the adequate steps required to secure the hotel's network haven't yet been put in place. Unfortunately for the hospitality industry, this isn't an anomaly.
Hospitality Industry is Severely Underprepared for Cyberattacks
Tech.co's independent research on cybersecurity — which includes survey results from 1000+ US businesses — revealed that the hospitality industry is one of the most unprepared for cyberattacks, with only 13% of hospitality businesses considering a security system to be a top budget priority, compared to 27% of education companies and 26% of IT services.
This suggests hospitality businesses like hotels, cafes, and restaurants are opening themselves up to more risks than other trades, and the impact of this can be monumental.
As previous instances make clear, failing to adequately invest in cybersecurity costs businesses an average of $4.24 million. Unless you're a leading hotel chain, the sum of loss could prove to be very hard to come back from.
And hotels aren't unlikely targets, either. In 2018, around 514 hotel records were stolen globally, and as this timeline reveals, major hotels like Radisson, Marriot International and the Hilton were repeatedly attacked throughout 2019 and 2020.
How Can Hospitality Businesses Protect Themselves?
There are steps businesses can take to avoid breaches of this kind, though. We discuss a few practical measures below.
- Use a password manager – With only 7% of hospitality businesses using a password manager, it's the least likely industry to use the tool, according to our research. Yet, with strong passwords being one of the easiest ways to obstruct hackers, using the method really should be a no-brainer.
- Store customer data securely – If private customer data is leaked, it could ruin the reputation of your brand overnight. To mitigate the risks of a hack, we recommend decrypting data and storing it in secure locations on servers.
- Educate your workforce about risks – Even if your business doesn't have a huge digital presence, any type of internal system can fall victim to a phishing attack. To decrease your chances of being caught out, it's sensible to advise your team to look out for suspicious activity online.