The remarkably weak password a pair of hackers used to cripple Holiday Inn’s room reservations system for a week is the latest evidence supporting a lawsuit over the company’s lax tech controls, claims franchisees.
A couple from Vietnam told the BBC over the weekend that they had attacked Holiday Inn owner InterContinental Hotels Group (IHG)’s online reservations system by obtaining its password, Qwerty1234, which, in addition to be easy to guess, was widely shared throughout the company.
“The vault username and password were available to all employees, so 200,000 employees could see. And the password was extremely weak,” the couple told the BBC in an interview.
The attack prevented the hotel giant from booking online for several days last week, leading to a sharp drop in occupancy. Customers were also unable to book rooms on third-party sites such as Expedia and Booking.com.
Only intermittent service returned for the second half of last week at many Holiday Inns, and by Monday the reservation system was back up and running, franchisee Vimal Patel told The Post.
“These hackers weren’t pros and they were still capable of doing damage,” Patel said. “The lame password used is completely opposite to the password requirements of hotel users when we need to access our own system.”
On September 15, Holiday Inn franchisees filed a lawsuit in the U.S. District Court in Atlanta against IHG, claiming that it had failed to “adopt reasonable data security measures that would prevent and detect access unauthorized access to their highly sensitive databases”.
The details of the attack, which learned after the lawsuit was filed, further bolster the case seeking class action status, according to Patel, a plaintiff who owns several of the 552 Holiday Inns in the United States.
Holiday Inn franchisees pay $16.40 per month per room to IHG as part of technology fees, the lawsuit says. In some cases, fees may also be calculated based on a specific percentage of the chamber’s gross revenue, the lawsuit says. This fee is generally increased by 2% each year.
“Obviously not all of the technology fees that were charged to us were used to protect franchisees,” Patel said.
“Defendants had the resources to prevent a breach and made significant expenditures to market their hotels and hospitality services, but failed to invest adequately in data security, despite the growing number of breaches. well-publicized data affecting the hospitality and similar industries,” the suit alleges.
This isn’t Holiday Inn’s first data breach.
“In May 2017, a class action lawsuit was filed against IHG by a class of consumers alleging that lax data security standards led hackers to access sensitive payment information, including credit card numbers, dates expiry date, verification codes and names of debit or credit card holders used. at [more than 1,000] hotels,” says the suit
There was final approval of a class settlement for this lawsuit on September 2, 2020.
“We prioritized recovering our reservation channels and revenue-generating systems and were able to get them back up and running in a short period of time,” an IHG spokesperson told The Post. “Our security measures against unauthorized activity in our technology systems continue. We are working closely with our technology providers and external specialists have also been engaged to investigate the incident. At this time, we have not identified any evidence of unauthorized access to customer data. We remain focused on supporting our hotels and owners.
“We are unable to provide further details of ongoing litigation.”
New York Post