(Muir Analytics’ Quick Brief is broadly based on the Pentagon EXSUM briefing method. The aim is to quickly explain an evolving hotel threat issue in about 15 lines in executive summary format. Muir has added a quick analysis of the issue that can help hotels mitigate certain risks.)

Chain of events

1. From multiple press reports, it is apparent that, in recent weeks, Thailand-based Central Group, which owns hotels, restaurants, and other businesses, suffered a data breach of its restaurant network. The company is worth nearly $12 billion.
2. The DESORDEN hacker group claimed responsibility for the attack.
3. Privacy Affairs reports that DESORDEN became known in September 2021 after hacking the Malaysian division of ABX Express Enterprise and Malaysia-based logistics carriers Skynet. It has also attacked Acer India and Acer Taiwan. In the Acer attacks, DESORDEN said its primary goal was to reveal vulnerabilities in the target computer systems. There is some unconfirmed reporting on data held for ransom in these latter cases as well.
4. Regarding the restaurant hacking, DESORDEN absconded with 80GBs of Central Group’s restaurant files, including business data and customers’ data. Central Group runs 2,000 restaurants.
5. Central Group was reportedly negotiating with DESORDEN over a ransom payment of USD $900,000, but the talks collapsed.
6. In retaliation, ZDNet reports that DESORDEN then attacked Central Group’s Centara Hotels & Resorts, which Central Group became aware of on 14 October.
7. Hospitality.net says Centara Hotels & Resorts is Thailand’s leading hotel company. It has 76 high-end properties across Asia, the Levant, and the Middle East.
8. The Cyber Security.News linked a two-minute, twenty-second video by DESORDEN showing that it did indeed have Centara’s data. The video was posted on Twitter by Hudson Rock, an Israel-based firm that protects companies from hackers.
9. The Cyber Security.News also posted a picture of DESORDEN’s claim of responsibility and reason for the hotel hack. It said: “For those who had questions on why DESORDEN keeps attacking central group: This is direct retaliation because central group management agreed to pay, however changed their minds on payment day period since then, DESORDEN has been attacking and breaching many of their group of companies.” The group said more attacks would follow.
10. The tactic DESORDEN used to penetrate Central Group is unknown, but the group told ZDNet it attacked the company’s “entire backend, which consists of 5 servers.”
11. Regarding damages in the hotel attack, DESORDEN said it had, over 10-days, stolen 400GB of business data from each Centara hotel and guest data going back 18 years. The data included: Names, phone numbers, email addresses, home addresses, photos IDs, booking information, and passports.
12. The Thaiger cited Centara CEO Thirayuth Chirathivat as saying the breach had been contained. He also said their customers should change their passwords, monitor their electronic profiles and accounts for suspicious activities, and contact Centara’s hotel branch if they had further questions. Thirayuth is also a member of Centara’s Risk Management and Corporate Governance Committee.

Takeaways

First, because DESORDEN has attacked five major companies in two months, it appears to be a highly effective hacking organization, and it should be taken seriously.

Second, in the case of Central Group, DESORDEN has shown a high degree of confidence, sophistication, and audacity by continuing to attack its target as ransom talks began to falter. This was no hit-and-run attack by hackers who feared getting caught. DESORDEN appears to have known it could take things to the next level if the ransom talks failed. It seems to have known Centara Hotels & Resorts would be continually vulnerable to its hacking tactics.

Third, while it is not yet clear what tactics DESORDEN used to hack Centara Hotels & Resorts and these other targets, the results were mostly the same: server access, which put all target companies in terrible positions. This is especially true with Centara Hotels & Resorts because the impact extends to thousands of customers – all of whom are now vulnerable to phishing attacks, identity theft, and the like.

Fourth, the latter issue – all the thousands of impacted hotel guests – opens up Centara Hotels & Resorts to many lawsuits and significant brand damage.

Fifth, it might also put Central Group in a bad position if it aims to tap insurance for the hotel attack. Specifically, if Central Group knew the restaurant side of its business was under cyberattack (and it certainly did), but it did not take steps to secure the hotel side of its business (and it may or may not have tried), then an insurance company might resist a full payout because the insured’s responsibility to mitigate known and obvious risks might not have been met.

Sixth, aside from encrypting data, monitoring for cyberattacks, and implementing firewall, password, and anti-phishing security, large corporations need to run security checks on the software they purchase before they deploy it, companywide. Some software comes with prepositioned malicious code that allows hackers easy access to corporate data. This kind of preplanned, well-thought-out sabotage demonstrates that hackers are expanding their capabilities exponentially, and corporate cybersecurity is lagging in many cases.

Sources and further reading:

“Luxury hotel chain hit twice by hackers after reneging on ransomware payment,” The Cyber Security.News, 29 October 2021.

“Centara Hotels suffer data breach by hackers Desorden Group,” The Thaiger, 29 October 2021.

“Luxury hotel chain in Thailand reports data breach,” ZDNet.com, 28 October 2021.

“Hackers breach Thailand’s central restaurants group, hack affects over 2,000 restaurants,” Privacy Affairs, 27 October 2021.

Hudson Rock, @RockHudsonRock, 2021, Oct 27, DESORDEN hacking group is claiming responsibility for the hack of Centara Hotels, a major hotel chain, https://twitter.com/RockHudsonRock/status/1453339450868740102.

“Centara Hotels & Resorts,” Hospitality.net.

Copyright © Muir Analytics 2021