The malicious hackers who attacked the hotel group IHG (Intercontinental Hotels Group) claim to have taken advantage of a particularly weak password to succeed in their computer intrusion. Specifically, according to the BBC, which spoke with the hackers, the firm’s internal password vault was locked with the password “Qwerty1234”.
SCOOP on the IHG hotels hack: ‘Vindictive’ couple deleted hotel chain data for fun. Cyber crime couple from Vietnam launched destructive wiper attack deleting huge amounts of data after defenders foiled their ransomware attempt. https://t.co/VqhArSQ3HT
—Joe Tidy (@joetidy) September 17, 2022
Either a hazardous combination of two of the worst passwords: “qwerty”, the first letters of English keyboards, and “1234”. However weak the password, it has not been formally broken, for example by testing all possible combinations on the fly.
Controversy over corporate cybersecurity
But maybe it’s even worse. According to the cybercriminals’ claims to the BBC, the username and password for this safe “was available to all employees” of the company. The British group of 6,000 hotels, known for its Holiday Inn, Regent or Intercontinental brands, on the contrary ensured that access to the safe was well secured.
The company also clarified that the attackers had to deal with “multiple layers of security” to carry out their cyberattack. A version confirmed by the hackers themselves.
The latter, who call themselves TeaPea, claim to have first gained access to the network by trapping an employee with a poisonous attachment. Then they allegedly bypassed the two-factor authentication system before accessing the internal password vault.
The computer intrusion, initially carried out in order to launch a ransomware attack, was done “for fun”, said its officials. The IHG group reported on September 6 that it had been the victim of a computer intrusion. This unauthorized access disrupted room reservation operations.
Since the problems never come alone, the hotel group is now being sued in the United States by franchisees, according to the American press. The plaintiffs accuse the company of being negligent in its cybersecurity. They are now asking for damages in compensation for the loss of income caused by the reservation problems.
The hotel group had already been sued a few years ago for a subject of computer security. Attacks had taken place in 2016, which had compromised the banking data of customers. The lawsuit ultimately resulted in a $1.5 million settlement in 2020.