Cyberattack on (Dec. 11, 2022)

Sicherheit (Pexels, allgemeine Nutzung)[German]The hotel chain H-Hotels has fallen victim to a cyber attack. As a result, the hotel chain's internal and external communication is currently only available to a limited extent. However, bookings and hotel operations of the group should continue to be possible. So far, the company assumes that no customer data has been leaked in this attack, which took place over the weekend. Addendum: The Play ransomware group took responsibility and has published a statement.


Cyber attack confessed

According to a statement from the hotel chain, the cyber attack on the IT network took place as early as Sunday, December 11, 2022. It is important to qualify that the cyberattack was detected by the hotel company's IT security systems on Sunday (the attackers could have been dabbling in the IT system weeks before).

After noticing a cyberattack, employees immediately shut down the hotel chain's IT systems and disconnected them from the Internet to ward off further spread. immediately informed the relevant investigative authorities and filed a criminal complaint. In close coordination with the investigating authorities, IT forensic experts are currently investigating all affected IT systems.

These analyses will take several days. Afterwards, all systems will be cleaned up and all data will be conclusively checked in order to be able to rule out a continuation of the cyber attack or a renewed cyber attack. In its announcement, the hotel states that cyber criminals succeeded in breaking through the extensive technical and organizational IT protection systems. What exactly these measures were, however, remains in the dark – but may simply be one of the usual platitudes.

So far, the IT forensic experts have no indication that relevant or personal data was stolen as a result of the cyber attack. Further investigations will be carried out in the coming days in coordination with the investigating authorities and the responsible data protection authority. If, in the course of these investigations, an outflow of personal data is identified, will inform the affected persons. I read between the lines that it could probably be a ransomware infection, so one can assume a data outflow – but we will then find out in the coming days.

The ongoing hotel operations in the individual hotels of the group are ensured and bookings are accepted in the hotels as usual. Inquiries by e-mail can currently not be answered or not answered promptly. Customers are advised to contact the desired or already booked hotel by phone in case of a contact request.

Data probably extradicted

Addendum: As expected by me, the H-Hotels Group has now admitted to first indications of stolen data. In a further announcement Nach Cyberangriff auf, there is now talk of "first indications of possibly stolen personal data". It states in this regard:


In the course of the ongoing investigations, the suspicion that personal data (e.g. name, address, e-mail address) could also be affected by the data theft appears to have been substantiated. The group of perpetrators has provided corresponding information that cannot be verified as to its accuracy, which also does not rule out the possibility of personal data being stolen. Mitteilung

This sounds to me like double extortion from ransomware gangs that rip off data, encrypt the files, and later extort the victims with the threat to release the data. Bleeping Computer colleagues report here that Play Ransomware group claims responsiblity  for the attack. The colleagues have published a screenshot of the group in question, where they announced a publication of exfiltrated personal data.

Das klingt für mich nach Doppelter-Erpressung von Ransomware-Gangs, die Daten abziehen, die Dateien verschlüsseln und später die Opfer mit der Drohung, die Daten zu veröffentlichen, erpressen. Die Kollegen von Bleeping Computer berichten hier, dass die Play Ransomware-Gruppe für den Angriff verantwortlich zeichnet. Die Kollegen haben einen Screenshot der betreffenden Gruppe veröffentlicht.

The intriguing question is which areas of the IT systems were affected by the attack and whether the databases with payment data could also be accessed. says it is working closely with IT forensic experts and the already informed data protection authorities to minimize the impact from the stolen data. intends to inform data subjects if personal data has been stolen, as required by the data protection authority. operates 60 hotels at 50 locations in Germany, Austria and Switzerland. The total capacity is approximately 9,600 rooms. The hotel chain employs 2,500 people and is one of the largest in the DACH region. It operates under "H-Hotels" and the sub-brands Hyperion, H4 Hotels, H2 Hotels, H + Hotels, H.ostels and H.omes.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *