What Happened In The IHG Hotels Data Hack?

IHG Hotels was hacked earlier this month. Their systems were down. They could not take reservations. The chain was impaired for several days.

Now we know the story.

  • A couple from Vietnam intended a ransomware attack, but the chain was able to isolate its systems to prevent this.

  • Hackers accessed “the company’s internal Outlook emails, Microsoft Teams chats and server directories.”

  • Since they couldn’t make money from the attack they just went ahead and deleted data for fun.

According to the pair,

We don’t feel guilty, really. We prefer to have a legal job here in Vietnam but the wage is average $300 per month. I’m sure our hack won’t hurt the company a lot.

The perpetrators say that no customer data was stolen “but they do have some corporate data, including email records.”

It began with phishing, with an employee downloading an attachment from an email. Apparently systems were broadly accessible by employees, so they had a wide surface for attack. The password they needed once gaining access through an employee? Qwerty1234.

An IHG spokesperson says “IHG employs a defence-in-depth strategy to information security that leverages many modern security solutions.”

About Gary Leff

Gary Leff is one of the foremost experts in the field of miles, points, and frequent business travel - a topic he has covered since 2002. Co-founder of frequent flyer community InsideFlyer.com, emcee of the Freddie Awards, and named one of the "World's Top Travel Experts" by Conde' Nast Traveler (2010-Present) Gary has been a guest on most major news media, profiled in several top print publications, and published broadly on the topic of consumer loyalty. More About Gary »

More articles by Gary Leff »


  1. I’ve found probably the past 4 out 5 IHG properties also block use of VPN on their unsecured hotel network … oh the irony.

  2. As a former Chief Information Officer I’m willing to bet the IHG CIO, Chief Security Officer or both are now looking for new jobs. Frankly there are ways to protect against these attacks and it is unacceptable for large companies to not spend the money to implement such protections

  3. As MH experienced, IHG doesn’t allow VPNs on their hotel network OR on their booking platform.Their network times out after about 20 min of searching for booking causing incomplete itineraries. They got what they deserved as they crap on their customers daily and have crap customer service. Maybe the hackers have the officer’s bank accounts and that might finally get their attention..

  4. Companies don’t tend to take IT security seriously, they don’t do proper training with staff, etc. Many don’t realize it’s not a matter of “IF” we get hacked but “When”. I’m surprised they didn’t launch ransomware on this deal.

  5. I find this statement SO reassuring:
    “An IHG spokesperson says “IHG employs a defence-in-depth strategy to information security that leverages many modern security solutions.”
    How many committee meetings were held to come up with this inane statement?

  6. @DaninMCI – smart companies that value their systems absolutely do take security seriously and make huge investments to avoid these type of problems. I was a CIO in the healthcare field for a multi-billion dollar national company. We were subject to HIPAA, Sarbanes Oxley and many other regulations that impacted our systems and security. Also, we had annual audits completed that focused on IT controls. Finally I had to make presentations to our board on business interruption/disaster recovery and security matters. I assume you large companies recognize the value of IT and make investments to protect their business operations. IMHO IHG was negligent in this regard. I’m willing to bet if you compared them to Marriott, Hyatt, Hilton or any airline (let alone financial institutions) you would notice a huge difference.

Leave a Reply

Your email address will not be published. Required fields are marked *