Skip links

A cyber attack in the hotel, what now?

Data breach in a hotel

Sjors Brul, founder and owner of Sbit, is only a few hours back from vacation when he receives an urgent phone call late at night.

An international hotel chain with more than twenty hotels has been the victim of a cyber attack.

A reconstruction of a more than radical operation.

The message popped up on all screens in the hotel organization that the cyber criminals were ‘in’, that the help desk had to be contacted and that an amount of Bitcoins had to be transferred to regain access to their own PCs.

Because all the PCs were held hostage.

‘Ransomware’ ensured that all PCs got encrypted, but also the servers could be held hostage.

“As a hotelier, you don’t know that yet at that time,” says Brul.

“The first thing to do is not to panic, then you should turn off all access to the internet. In this case, it involved more than twenty branches spread over seven countries.”


PCs, cash registers, servers and workstations were all shut down.

The organization was put in a deadlock as an in-depth research was needed to figure out how the cyber criminals entered their systems. “What you absolutely must avoid is trying to fix it yourself, without the right knowledge.”

A cyber attack is a crime and should be carried out as such. A forensic team needs to investigate.

This team, called a ‘Red-Team’, is designated by the cybersecurity insurer. They start with two questions: what has been touched?

And how could this have happened?

“And in the meantime, the organization was still flat on it’s back. It went back to pen and paper. In this case, the damage for the entire organization amounted to 100,000 euros per day.”

The ‘Red-Team’ (name for a investigative team appointed by the insurer) investigates how the criminals came in by checking the systems.“We, as an IT service provider, examine the quality of the backups.

We do that every day, to check that they are working, but also to make sure they are in a safe place. The backups are also often damaged by these hackers, but we have protection for that.”

What the criminals are mainly looking for is blackmailable information.That can be information about guests.

“But credit card details should no longer be found in the systems. They also focus on the PMS system, and on the online behavior of the employees.

Which websites were visited, which videos were viewed… That kind of information.

That is blackmailable information that you as an organization do not want to be exposed to the public.

The reputational damage that you incur the moment your digital vulnerability is revealed is immense.”


Of course, the criminals don’t take a break when Red-Team starts the investigation.

They see their activities and act accordingly.

“They call and say that they are offering their services to Microsoft and that it is so annoying that your organization has been hacked.

But they have the solution.

Another advice is: trust nobody and communicate with your own people.

As an organization you are extremely vulnerable when you are attacked.

It is like an army is standing at your door,” says Brul.

To prevent cyber criminals from entering, it is wise to know how they get in.

This can be done in a number of ways.

Via ‘phishing’, an update that has not been carried out or has not been carried out properly or a breach in the company’s software systems via an employee who works from a private laptop and is therefore less secure, which happened a lot during the various lockdowns.

“In this case, in which more than twenty hotels were the victims, it was an update that was not carried out properly.

The Red-Team found out that in this case, the criminals had been inside for four months.

That means any backups made in the meantime cannot be trusted.”

Systems were reset to the last safe state, or in the worst case completely replaced.

From that point on, all data had to be examined and tested for reliability and safety.

Sjors Brul talks about ‘White Listing’; approving websites and systems one by one. “In this case, we worked in that ‘White Listing mode’ for four months.

Step by step, labeling every website and every link as safe before it could be used again. We were lucky that this hotel chain works with the PMS system in a hosted environment and we were able to conclude fairly quickly that the PMS system was not attacked and therefore it was safe.”


According to Brul, you do this first of all by creating awareness in the organization about the dangers of cybercrime. “The hotel industry is paying more and more attention to this, but there is still a lot of room for improvement.

A cyber security threat is just one click away and employees often remain silent about this, also out of shame.

The sooner it is reported, the better the evil can be fought.

The danger lies in invisibility, but in many hotels, the digital door is ajar or even further. Nothing can be seen on the surface, but a few months later the consequences could be disastrous.”

Cyber attack checklist

A cyber attack on a hotel organization is often the result of months of preparation by cyber criminals.

The criminals make their demands known if they have managed to collect enough sensitive information.

What steps should you take as a hotelier if you are faced with a cyber attack?

1. Don’t panic and don’t investigate it yourself

2. Turn off the internet connection

3. Contact the cybersecurity insurance company

4. Get forensics done

5. Don’t trust anyone

6. Keep the team informed

7. Inform the authorities within the legal deadline

8. Check Backups

9. Provide insight into when the criminals entered the system

10. Distrust all information that is in system since the attack

11. Restore the systems

12. Take corrective action to reduce the chance of another attack

It is of course better to avoid all this. Make an appointment with one of our specialists via our website or call 0182 747 000


Related Articles