Holiday Inn Cyberattack Teaches Cybersecurity Lessons

Cyberattack school is in.
20 September 2022

Holiday Inn – bed, breakfast, and cyberattack.

Intercontinental Hotel Group (parent company of Holiday Inn and Crowne Plaza) has become the latest enterprise-level company to suffer a major cyberattack. But the group (which has been cyberattacked before, in 2017) is also beginning to acquire the status of an object lesson in password weakness and poor cybersecurity practice.

The hackers, who call themselves TeaPea and describe themselves as a couple from Vietnam, got into the IHG internal databases by exploiting the invitingly weak password the company used for its main password database – Qwerty1234. And while their attempt to launch a ransomware cyberattack and rake in cash by exploiting that password was commendably defeated by IHG staff, who kept isolating servers before the ransomware could be deployed, they then decided to make the most of their access and launch a wiper attack instead – allegedly “for fun.”

IHG – which operates a group of 6,000 hotels worldwide, over 3,000 of them in the US – stalled customers who had trouble both booking and checking-in for a full 24 hours with the cover story that its databases were “undergoing system maintenance,” before coming clean and admitting it had been the victim of a cyberattack.

Lesson #1 – Password Security

And while the company’s cybersecurity teams succeeded in thwarting the ransomware attack, the company still irretrievably lost some of its internal operating data – meaning it will likely sustain losses above and the 24 hours of lost business. It is understood that on this occasion, no customer data was taken, but the hackers confirmed they had stolen some internal company data – including email addresses, which could be useful either for sale or for subsequent attempts to launch ransomware into the group’s systems.

There are several cybersecurity lessons for enterprise-level companies to learn from the IHG hack.

Firstly, a weak and easily guessable main systems password is the equivalent of a digital welcome mat for hackers. Companies should deploy a complex password, as much for the deterrent effect as anything else. The harder you can make it to access your systems illegally, the less likely you are to be entirely ransacked and forced into business immobility. It will not in any sense deter dedicated or professional hackers, but it may hold off or deter some less competent attackers.

The fact that Qwerty1234 is seen by a large number of non-technology companies as a sufficiently complex password for even sensitive areas of their corporate database (it hardly needs explaining that this is in no sense the case) speaks to a lack of cybersecurity awareness in the wider business community that could be – and frequently is – easily exploited by hackers.

Lesson #2 – Password Restriction

Secondly, the hackers said the Qwerty1234 password – the key to the main internal password vault for the enterprise-level group – was available to 200,000 staff. That equates to 200,000 potential access points for hackers. By minimizing both the number of essential staff who have access to main database passwords, and by limiting the use those staff are able to make of those passwords, so that they can do their jobs, but little more, you close otherwise easy access routes for hackers to ransack your systems.

Thirdly – and importantly – the TeaPea hackers are in no sense professionals, according to cybersecurity experts. Professionals would a) probably have successfully deployed their ransomware, crippling the operations of a 6,000-property hotel group with a ridiculously weak password protocol and a wide-open password distribution list, and b) not have switched to a wiper attack (which has the main purpose of irretrievably destroying data), either “for fun” or in a vindictive sideswipe if their ransomware attack was ineffective.

That means that a) major enterprises have systems weak enough to be hacked by bored amateurs from Vietnam. Imagining both the fact of this, and what could be done by anyone with a degree of professionalism about their hacking and a can-do attitude, should be the kind of thing to keep CISOs up at night, and prepare them to convince their boards about the importance of cybersecurity investment. And b) it’s too easy and glib to dismiss the IHG hack as a large enterprise with a password weakness that allowed amateur hackers to ransack its data and lose it a significant amount of potential earnings.

Lesson #3 – The Right Things May Not Matter

In fact, the statements of their actions by the TeaPea hackers show that IHG did a lot of the new cybersecurity things right, but that amateurs were still able to circumvent them.

TeaPea say they gained access to IHG’s internal IT network by using a fairly routine email scam – a piece of malware attached to an email. It can be argued that the success of this tactic shows either an insufficiently advanced system-level email quarantine program, an insufficient employee training program in cybersecurity protocols, or both – but email scams have evolved from their overly obvious forebears, and remain one of the most effective ways in which hackers gain entry to corporate systems in the 2020s. So if IHG was weak on cybersecurity, it at least has the dubious consolation of knowing that it’s by no means alone in its weakness.

Lesson #4 – Two-Factor Bypassing

Perhaps of more concern, the relatively recent darling of cybersecurity protocols – two-factor authentication – was another obstacle that IHG already had in place. The amateurs from Vietnam bypassed the two-factor authentication notification send to the staffmember with ease. The ability to do this is a known weakness of the two-factor element of cybersecurity systems within technology circles. It is, however, a weakness little publicised outside those circles, meaning many non-technology businesses regard it as an infallible one-stroke solution to an otherwise weak cybersecurity profile.

A spokeswoman from IHG said the group “employs a defence-in-depth strategy to information security that leverages many modern security solutions.”

None of which stopped amateur hackers from wreaking havoc with the group’s systems and getting away with email addresses that could leave those systems vulnerable to further attack, either by the amateurs, or by any professionals to whom they can be sold.

Lesson #5 – The Pain and the Price

Any non-technology company can be forgiven for being the victims of a single cyberattack (though technology companies should know better, and have both preventative technologies and training in place, and a robust disaster recovery plan). But arguably IHG should have applied the wisdom of “once bitten, twice shy” after it was hit by a three-month cyberattack in 2017, in which the hackers did access credit card data, and then used that data to make a whole range of fraudulent payments. IHG paid more than $1.5 million in a class action settlement for allowing its customers’ data to be hacked in that incident, but it only paid out in 2020.

Lesson #6 – It’s Time To Teach

That shows a corporate mindset that sees data hacking as the cost of doing business in the modern world – and that sees investment in robust cybersecurity as more trouble or expense than the cost of paying out when lax systems are compromised.

If the question from the technology sector is “How much does it have to hurt before companies get a clue about the impacts of a cyberattack?,” it’s possible that the rejoinder would be that the technology sector needs to significantly raise its game across the general business world to ensure that those impacts, along with prevention and mitigation strategies are understood equally as parts of the cost of doing effective, trusted business.