The Play ransomware gang has claimed responsibility for a cyber attack on H-Hotels (h-hotels.com) that has resulted in communication outages for the company.
H-Hotels is a hospitality business with 60 hotels in 50 locations across Germany, Austria, and Switzerland, offering a total capacity of 9,600 rooms.
The hotel chain employs 2,500 people and is one of the largest in the DACH region, operating under ‘H-Hotels’ and the sub-brands Hyperion, H4 Hotels, H2 Hotels, H + Hotels, H.ostels, and H.omes.
H-Hotels disclosed the cyberattack last week and stated that the security incident occurred on Sunday, December 11th, 2022.
“According to the first findings of internal and external IT specialists, cybercriminals managed to break through the extensive technical and organizational protection systems of IT in a professional attack,” explained the H-Hotel’s security incident notice.
“After the cyber attack was found, the IT systems were immediately shut down and disconnected from the Internet in order to ward off further spread.”
Although the attack did not impact guests’ bookings, hotel staff still can’t receive or answer customer requests sent via email, so it is recommended to contact H-Hotels by phone if necessary.
The firm has informed the German investigative authorities of the incident and is working with an IT forensics firm to restore systems as quickly as possible. H-Hotels also states that they are ensuring they will be adequately protected against similar cyberattacks in the future.
Data allegedly stolen in attack
Play ransomware has claimed the attack on H-Hotels and listed the company on its Tor site today, claiming to have stolen an undisclosed amount of data during the cyberattack.
The ransomware gang claims to have stolen private and personal data, including client documents, passports, IDs, and more. However, the threat actors have not released any samples to support these claims.
H-Hotels entry on the Play ransomware Tor site (BleepingComputer)
Furthermore, H-Hotels denied seeing any evidence of data exfiltration in last week’s announcement, and there has been no update on the matter since then.
“As of today, the commissioned IT forensic scientists have no evidence that relevant or personal data could be stolen by the cyber attack,” reads the announcement.
“Should a data outflow of personal data be determined in the course of these investigations, H-Hotels.com will inform the data subjects.”
Being an EU-based company, a large-scale data leak impacting customer data would have GDPR repercussions, making the cyberattack even more damaging.
For hotel guests, the potential exposure of their details and booking data can be a severe case of a privacy breach, providing information about future locations, financial information, and more.