Hackers told the BBC they carried out a destructive cyber attack against Holiday Inn owner Intercontinental Hotels Group (IHG) “for fun”.
Describing themselves as a couple from Vietnam, they say they first tried a ransomware attack and when they were foiled, they deleted a large amount of data.
They got into the FTSE 100 company’s databases thanks to the easy-to-find and weak password Qwerty1234.
An expert says the case highlights the vindictive side of criminal hackers.
Headquartered in the UK, IHG operates 6,000 hotels worldwide, including the Holiday Inn, Crowne Plaza and Regent brands.
On Monday of last week, customers reported widespread problems with booking and check-in.
Within 24 hours, IHG responded to complaints on social media by saying the company was “undergoing system maintenance”.
It then announced to investors on Tuesday afternoon that it had been hacked.
“Booking channels and other applications have been significantly disrupted since yesterday,” the company said in an official announcement filed with the London Stock Exchange.
Holiday Inn hotels hit by cyber attack
Holiday Inn hotels affected by payment hack
The hackers, calling themselves TeaPea, contacted the BBC via the encrypted messaging app Telegram and provided screenshots as proof they had carried out the hack.
The images, which IHG confirmed to be genuine, show they gained access to the company’s internal Outlook emails, Microsoft Teams chats and server directories.
“Our attack was originally planned as ransomware, but the company’s IT team kept isolating the servers before we had a chance to deploy it, so we thought we’d make a joke. We did a wiper attack instead,” one of the hackers said.
A wipe attack is a form of cyber attack that irreversibly destroys data, documents and files.
Cybersecurity specialist Rik Ferguson, vice president of security at Forescout, said the incident was a cautionary tale because even though the company’s IT team initially found a way to fend them off, hackers were still able to find a way to strike. damage.
“The change in hacker tactics appears to be born out of vengeful frustration,” he said. “They couldn’t make money, so they were flailing, and that totally betrays the fact that we’re not talking about ‘professional’ cybercriminals here.”
IHG says customer-facing systems are returning to normal, but services may remain interrupted.
Hackers show no remorse for the disruption they have caused to the company and its customers.
“We really don’t feel guilty. We prefer to work legally here in Vietnam, but the average salary is $300 a month. I’m sure our hack won’t hurt the company much.”
The hackers say no customer data was stolen, but they do have some company data, including email records.
TeaPea claims they gained access to IHG’s internal IT network by getting an employee to download malicious software via a planted email attachment.
They also had to bypass another security challenge sent to the worker’s device as part of the two-factor authentication system.
The criminals then claim to have gained access to the most sensitive parts of IHG’s computer system after finding login credentials to the company’s internal password vault.
“The username and password to the vault was available to all employees, so 200,000 employees could see it. And the password was extremely weak,” they told the BBC.
Surprisingly, the password was Qwerty1234, which regularly appears on lists of the most used passwords around the world.
“Sensitive data should only be available to employees who need access to that data to do their jobs, and they should have the minimum level of access [needed] to use that data,” Mr. Ferguson said after seeing the screenshots.
“Even a very complex password is as insecure as a simple one if left exposed.”
An IHG spokeswoman disputed that the password vault details were not secure, saying the attacker had to evade “multiple layers of security”, but did not give details of the additional security.
“IHG employs a defense-in-depth information security strategy that utilizes many modern security solutions,” she added.