Omni Hotels confirmed that a limited amount of data was compromised following a March 2024 cyberattack. According to the company, the impacted data does not include sensitive information such as personal payment details, financial information or social security numbers. However, it does include names, email addresses, mailing addresses as well as select guest loyalty program information.

While the Omni Hotels has not said who is responsible for the cyberattack, Daixin Team – a ransomware gang – added the hotel chain to their dark web leak site in mid-April along with a threat that the gang would soon leak the information they stole. Daixin shared screenshots of the stolen data with DataBreaches.net, showing it had access to a database containing more than 3.5 million records from Omni Hotel guests dating back to 2017. The gang also provided DataBreaches.net with a screenshot of a chat conversation between the gang and Omni Hotels (on April 11 and 12) showing that Daixin was asking for $2 million from the hotel brand. (According to some news reports, the ransomware gang originally asked for $3.5 million.)

The Daixin Team has been on the CISA, FBI and Department of Health and Human Services’ radar since October 2022. At that time, the cybercrime gang was targeting the U.S. Healthcare and Public Health sector. Apparently, the Daixin Team exploits known vulnerabilities in an organization’s VPN servers or uses compromised VPM credentials belonging to accounts that have toggled off multi-factor authentication to gain access to networks. Omni Hotels has not confirmed if this is how the Daixin Team accessed its systems.

HT reached out to our cybersecurity community to ask what advice they have for hoteliers who are looking to prevent their organization from making cybercrime headlines. Here's what they had to say.

Prioritize Secure-by-Design Approaches

"Across industries, hackers are beating security teams to the punch where organizations lack awareness and visibility into their true cyber risk exposure,” Kory Daniels, CISO at Trustwave. “The only way for businesses to get ahead of threats and cyberattacks is with a secure-by-design approach. The rapid digitization of services in the hospitality industry—​digital keycards, contactless check-ins, online payments, and reservations—​offers guests a more seamless experience. However, these technological advancements have simultaneously increased the number of devices and endpoints connected to hotel networks, adding new risks and potential vulnerabilities. Recent events in the hospitality industry epitomize just how disruptive an attack can be on these interconnected systems, even—and, sometimes, especially—​when managed on a centralized network. To maximize convenience for guests while minimizing risks, the hospitality industry requires multiple layers of security and continuous monitoring to stay informed about risk exposure, protect against breaches, and mitigate impact by preventing cybercriminals from moving across interconnected networks to gain access to guests’ personal information, travel preferences, identification documents, and payment details.”

Immersive Tabletop Exercises are Essential

"Regular immersive tabletop exercises are crucial for testing incident response playbooks and practicing scenarios involving disruptions to business operations caused by cyber-attacks," says John Dwyer, Director of Security Research, Binary Defense. "These exercises enable teams to identify gaps in procedures, enhance coordination between departments, and improve decision-making under pressure, ultimately bolstering the organization's resilience against real-world threats. Incidents are difficult enough for organizations, they don’t also need to be compounded with disrupted business operations."

Cyber Resilience Supersedes Disaster Recovery

"In today's rapidly evolving threat landscape, cyber resilience stands out as a superior strategy compared to traditional disaster recovery methods," Dwyer explains. "While disaster recovery focuses primarily on restoring systems and data post-incident, cyber resilience takes a proactive approach by emphasizing continuous operations despite cyberattacks. This approach acknowledges the inevitability of breaches and aims to maintain a minimum viable company during disruptions. By prioritizing measures to sustain essential functions, organizations reduce downtime and mitigate the impact of attacks on operations, finances, and reputation. In essence, cyber resilience fosters adaptability and agility, allowing businesses to not only withstand but also thrive in the face of evolving cyber threats."

Basic Information Security Controls are Crucial

"It is still shockingly common for attackers to exploit a lack of basic information security controls," says Alex Hamerstone, Advisory Solutions Director, TrustedSec. "Time and time again we see where the things we have been recommending for years or decades are not in place, which leads to incidents. While it is not confirmed that this incident was due to not having MFA turned on for the VPN, it is a good wake up call for others in the industry to ensure that controls such as MFA are in use everywhere possible at all times. Hospitality organizations are highly focused on the guest/customer experience, and often times security can be seen as being at odds with ease of use. It is essential that organizations focus on getting the security basics right, and getting the basics right can go a long way towards lowering risk."

Michal Christine Escobar