Describing themselves as a couple from Vietnam, they first tried a ransomware attack and then deleted large amounts of data when they were foiled. They accessed the FTSE 100 firm’s databases thanks to an easily found and weak password, Qwerty1234.
An expert says the case highlights the vindictive side of criminal hackers.
UK-based IHG operates 6,000 hotels worldwide, including the Holiday Inn, Crowne Plaza and Regent brands. On Monday last week, customers reported widespread problems with booking and check-in.
For 24 hours, IHG responded to complaints on social media by saying that the company was “undergoing system maintenance”.
Then on a Tuesday afternoon, it told investors it had been hacked.
“Booking channels and other applications have been significantly disrupted since yesterday,” it said in an official notice lodged with the London Stock Exchange.
Cyber-security specialist Rik Ferguson, vice-president of security at Forescout, said the incident was a cautionary tale as, even though the company’s IT team initially found a way to fend them off, the hackers were still able to find a way to inflict damage.
“The hackers’ change of tactic seems born out of vindictive frustration,” he said. “They couldn’t make money, so they lashed out, which betrays the fact that we are not talking about ‘professional’ cybercriminals here.”
IHG says customer-facing systems are returning to normal, but that services may remain intermittent.
The hackers show no remorse about the disruption they caused the company and its customers.
“We don’t feel guilty. We prefer to have a legal job here in Vietnam, but the average wage is $300 per month. I’m sure our hack won’t hurt the company a lot.”
The hackers say no customer data was stolen, but they have some corporate data, including email records.