Jan Tue, 2017 Hotel Attacks
On 28 January, The Local, an Austrian news source, reported that cybercriminals had recently hacked into the Romantik Seehotel Jaegerwirt in Turrach. The attackers damaged the hotel’s electronic key system and also shut down all the hotel’s computers, which included the front desk, point of sale, and reservations systems. Initial press reports saying that hotel guests were locked in or out of their rooms have been retracted by one of the original reporting sources, and Cristoph Brandstaetter, manager of the hotel, told Motherboard, “It was just a normal cyber attack and no guests were locked in.” Brandstaetter did say, however, that they were unable to make electronic room keys for new guests.
Because of this last issue, there is continued reporting suggesting that scores of guests, and not just new guests, were locked out of their rooms. (Interviews with hotel guests who were present during the hack attack would help clear up this issue.)
After infiltrating the hotel’s computers, the hackers, via ransomware, extorted the hotel for 1,500 EUR ($1,602.22 USD) in Bitcoin (which equates to 1.74 Bitcoins) to release control of the hotel’s computer system.
Located in central southern Austria about 30 miles due north of the Slovenian border, the Romantik Seehotel Jaegerwirt is a four star hotel in an alpine setting on the shores of Lake Turrachsee. It boasts spa, alpine, and skiing activities, plus upscale restaurants and bars.
The timing of the attack coincided with the opening of the winter season – early January, says Bleepingcomputer.com – and hotel management admitted that there had been three other hack attacks on the hotel, one of which happened over the summer. Without going into details, hotel management said that the summer attack had cost, “several thousand Euros,” and that quietly paying the hackers had been the best way to alleviate the issue.
Additionally, past attacks entailed hackers installing “back door” malware on the hotel’s system, though hotel cyber security reportedly defended against it.
Though there was no physical damage from this particular hack, the potential for genuine physical damage in these cases is worthy of discussion. There were 180 guests in the Romantik Seehotel Jaegerwirt at the time of the incident, a full booking, and scores of them could have been impacted by an attack that assumed control of the hotel’s lock and key system. For example, if there was a case where a guest was locked out of their room, and they needed life saving medicine from their travel kit, their life would be in danger. In a like scenario, if there was a fire or some other kind of emergency, those locked in their rooms might even perish.
More deviously, a terror group that wanted to insure maximum casualties at a hotel could apply similar hacking tactics on top of a physical attack.
The Romantik Seehotel Jaegerwirt’s management came forward about the hacking in order to educate the public and encourage the international hotel sector to increase its cyber defenses. They said the police could not remedy the situation, and that insurance had not been helpful, either.
The hotel is taking steps to replace all electronic locks with traditional steel locks and keys to avoid similar hacking issues in the future. It is also reportedly replacing all of its computers and compartmentalizing its system to minimize its online exposure.
There are four takeaways here. First, this hack attack is part of a common and ongoing trend in the hotel industry. Muir Analytics estimates that for every major hotel hack mentioned in the press, there might be at least three that are not mentioned (just as with the Romantik Seehotel Jaegerwirt,) which would statistically make hotel hacks a regular, monthly occurrence.
Second, the hotel got off lucky regarding the small ransom. The hotel’s maximum revenue per available room is approximately $38,000 USD per day. Copycat hackers at other hotels might not be so timid with their demands for money.
Third, hotels should not wait for hack attacks to happen and then apply maximum cyber defenses in the aftermath; they should be applying those defenses now. (And the same goes for physical security against violent attacks.) It seems that the Romantik Seehotel Jaegerwirt did affect at least some cyber defenses after the preceding three hack attacks, but they were not enough. The resulting bad press did PR damage to the hotel.
Fourth, the Romantik Seehotel Jaegerwirt applied relatively effective PR in managing the aftermath of the hack attack (though some reporting still asserts that guests were locked in/out of their rooms.) The hotel clearly explained the circumstances of the attack, it admitted that it had happened before and that it was applying corrective security measures, and it also worked hard to dispel incorrect reporting. In doing so, the hotel has likely assured its future guests that it is dedicated to providing a safe and secure cyber environment for them, thereby mitigating bad press and protecting their ROI.
Sources and further reading:
“Ransomware Infects Electronic Door Locking System at Austrian Hotel,” Bleepingcomputer.com, 29 January 2017.
“This Luxury Hotel Is Sick of Ransomware Attacks, So It’s Going Analog,” Motherboard, 29 January 2017.
“Hotel ransomed by hackers as guests locked out of rooms,” The Local, 28 January 2017.
“Four-star Alpine hotel fell victim to blackmailers who hacked into their electronic keycard system and locked guests in their room (so they’ve brought back traditional locks and keys),” The Daily Mail, 27 January 2017.
Copyright © Muir Analytics 2017