Holiday Inn Parent Company Hacked Through Weak Password

More proof that it doesn't pay to use weak passwords.

If you’ve wondered why having a strong password is necessary, this recent trouble is the reason. Intercontinental Hotels Group, the parent company of the Holiday Inn and other hotel chains, was hacked, and a Vietnamese couple is claiming responsibility for deleting the chain’s data, saying they did it through a week password.

ICG Trouble

Customers of Intercontinental Hotels Group (ICG) first started reporting errors booking rooms and checking in on September 5. IHG responded on social media and said it was “undergoing system maintenance.”

The hotel chain released an announcement to investors on September 6 that said part of its system had been “subject to unauthorized activity.” It reported that the booking channels and other applications had been disrupted since the day before.

Holiday Inn Ihg Hacked Booking Website

ICG said it reacted to the hack by putting into play its response plans and notifying the authorities, adding that it was working on the issue with tech specialists. ICG also said it was supporting hotel owners and operators and that its hotels were still operating and taking reservations.

Couple Claims Responsibility for Hack

A Vietnamese couple came forward and admitted to the BBC that they were behind the ICG cyberattack, yet deleting a large amount of data wasn’t the original plan. Initially, the plan was to launch a ransomware attack after they gained access to the company’s databases through a very weak password: “Qwerty1234.”

The couple, going by the name of TeaPea, reached the BBC through Telegram and supplied screenshots, which IHG confirmed were authentic, that showed them gaining access to ICG’s Outlook emails, Microsoft Teams chats, and server directories.

Image source: Unsplash

The hackers explained, “Our attack was originally planned to be a ransomware, but the company’s IT team kept isolating servers before we had a chance to deploy it, so we thought to have some funny [sic]. We did a wiper attack instead.”

TeaPea also claimed that they only make about $300 monthly, so they don’t feel guilty doing something illegal. They don’t believe their actions hurt the hotels that much. No customer data was removed from the services.

They were able to access the internal IT network at IHG through malicious software that an unknowing employee downloaded from an email. It was also able to break through the company’s 2FA system. Once inside the server, they found the login details for the internal password vault.

ICG Systems Returning to Normal

ICG reported afterward that while the services of Holiday Inn and its other services were still being interrupted, the systems were returning to normal after they were hacked.

Image source: Wikimedia Commons

The hotel chain’s spokeswoman defended its security practices, stating that for hackers to get through to its systems, they had to get past “multiple layers of security,” adding, “IHG employs a defense-in-depth strategy to information security that leverages many modern security solutions.”

But the point remains: there is a weakness somewhere within the systems of Holiday Inn and the other hotel chains for the sensitive information to be hacked. “Qwerty1234” appears on lists of common passwords and isn’t safe to use. Additionally, while it does have lower and uppercase letters and numbers, it does not have any symbols. If IHG did use that as a password, it was not a “defense-in-depth strategy.”

Image credit: Wikimedia Commons All screenshots by Laura Tucker

Laura Tucker

Laura has spent nearly 20 years writing news, reviews, and op-eds, with more than 10 of those years as an editor as well. She has exclusively used Apple products for the past three decades. In addition to writing and editing at MTE, she also runs the site's sponsored review program.

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox

Thanks for subscribing! Please check your email for further instructions.