Hackers Deleted Hotel Chain Data ‘For Fun’

Hackers who attacked Intercontinental hotel operator IHG earlier this month say they deleted corporate data after failed ransomware attack

Hackers who disrupted the systems of Holiday Inn operator Intercontinental Hotels Group (IHG) earlier this month have said they deleted large amounts of the company’s data “for fun”.

The hackers described themselves to the BBC as a couple from Vietnam who had deleted the data after failing to deploy ransomware across IHG’s systems.

“Our attack was originally planned to be a ransomware but the company’s IT team kept isolating servers before we had a chance to deploy it, so we thought to have some funny [sic],” one of the hackers told the BBC over the encrypted chat app Telegram.

Data wipe

“We did a wiper attack instead,” they added.

The hackers said they turned to illegal activity for money due to their poor economic prospects in Vietnam.

“We don’t feel guilty, really. We prefer to have a legal job here in Vietnam but the wage is average $300 (£263) per month. I’m sure our hack won’t hurt the company a lot,” they told the BBC.

They said no customer data was stolen but that they had taken some corporate data, including emails.

Social engineeering

Calling themselves TeaPea, the hackers said they initially tricked an IHG employee into opening a malicious email attachment to gain access to the company’s systems.

They bypassed two-factor authentication tokens sent ot the worker’s devices and then accessed IHG’s internal password vault, which they said was itself protected by an “extremely weak” password – Qwerty1234.

“The username and password to the vault was available to all employees, so 200,000 staff could see. And the password was extremely weak,” TeaPea told the BBC.

IHG said the hackers had had to evade “multiple layers of security” to access the password vault, but did not give details.


“IHG employs a defence-in-depth strategy to information security that leverages many modern security solutions,” the company said.

Customers of IHG, which operates the Holiday Inn and Intercontinental hotel chains amongst others, began experiencing disruption in online bookings during the first weekend of September.

The firm initially responded to users’ complaints on social media by saying it was “undergoing system maintenance”.

On Tuesday, 6 September, it acknowledged in a mandatory filing with the London Stock Exchange that it had been hacked.

International effect

“IHG’s booking channels and other applications have been significantly disrupted since yesterday, and this is ongoing,” the company said at the time.

IHG operates about 6,000 hotels in total across 100 countries, with about half of those in the United States.

The company now says that customer-facing online systems are returning to normal but that service may remain intermittent.

It has been able to operate its hotels throughout the incident and to take bookings by telephone.

In April 2017 hackers stole customer payment card details from around 1,200 of IHG’s franchised hotels.