The remarkably weak password that a pair of hackers used to cripple Holiday Inn’s room-booking system for a week is the latest evidence bolstering a lawsuit over the company’s lax technology controls, franchisees claim.
A couple from Vietnam told the BBC this weekend that they attacked the online reservation system of Holiday Inn’s owner InterContinental Hotels Group (IHG) by obtaining its password, Qwerty1234, which in addition to being easy to guess was widely shared throughout the company.
“The username and password to the vault was available to all employees, so 200,000 staff could see. And the password was extremely weak,” the couple told the BBC in an interview.
The attack stopped the hotel giant’s ability to book reservations online for several days last week, resulting in sharp occupancy drops. Customers were also not able to book rooms on third-party sites such as Expedia and Booking.com.
Only intermittent service returned for the second half of last week at many Holiday Inns, and, as of Monday, the reservation system was back up and running, franchisee Vimal Patel told The Post.
“These hackers were not pros and they were still able to do the damage,” Patel said. “The lame password used is complete opposite of the hotel users’ password requirements when we have to access our own system.”
Holiday Inn franchisees on Sept. 15 filed a lawsuit in Atlanta US District Court against IHG saying it failed “to adopt reasonable data security measures that would prevent and detect unauthorized access to their highly-sensitive databases”.
The particulars of the attack, which were learned after the suit was filed, further bolster the case which is seeking class-action status, according to Patel, a plaintiff who owns several of the 552 Holiday Inns in the US.
Holiday Inn franchisees pay $16.40 per month per room to IHG as part of a technology fee, the suit says. In some cases, the fee may also be calculated based on a specific percentage of gross room revenue, the suit says. This fee is generally increased by 2% each year.
“Clearly all the technology fees charged to us were not utilized to protect the franchisees,” Patel said.
“The Defendants had the resources to prevent a breach and made significant expenditures to market their hotels and hospitality services, but neglected to adequately invest in data security, despite the growing number of well-publicized data breaches affecting the hospitality and similar industries,” the suit alleges.
This is not the first Holiday Inn data breach.
“In May 2017, a class action lawsuit was filed against IHG by a class of consumers alleging that lax data security standards resulted in hackers accessing sensitive payment information including credit card numbers, expiration dates, verification codes and cardholders names for debit or credit cards used at [more than 1,000] hotels,” the suit says
There was final approval of a class settlement for that suit on Sept. 2, 2020.
“We prioritized the recovery of our booking channels and revenue generating systems and were able to get those back up and running in a short period of time,” an IHG spokesperson told The Post. “Our security measures following the unauthorized activity in our technology systems are continuing. We are working closely with our technology suppliers and external specialists have also been engaged to investigate the incident. At this time, we have not identified any evidence of unauthorized access to guest data. We remain focused on supporting our hotels and owners.”
“We’re not able to provide further detail on pending litigation.”