One of Oregon’s most prominent luxury destinations has been victimized by an unusual cyberattack, with hackers posting employee information and a ledger of guests online in an apparent attempt to squeeze the hotel and compel it to pay a ransom.
“It’s not a new strategy. It’s just the way they are implementing it that is new … by putting it on the public internet in an easily searchable form,” said Brett Callow, a threat analyst for New Zealand cybersecurity firm Emsisoft. “As far as I’m aware this hasn’t been done before.”
Hackers apparently breached The Allison Inn & Spa in Newberg, demanding that the property negotiate to keep employee and guest records confidential. The cybercriminals claim to have information on 1,500 employees and former employees and 2,500 reservation records from 2022.
XYZ, the domain registry on which hackers posted stolen data from The Allison, pulled down the website Wednesday morning on its own initiative.
“We have suspended the domain to prevent further harm. The activities of the domain were a clear violation of the XYZ Anti-Abuse policy,” said Jocelyn Hanc, operations vice president for XYZ.
The Allison acknowledged the attack and said it’s in the process of notifying victims. Lonny Watne, the inn’s finance director, said The Allison will provide victims with credit and identity monitoring service
“We conducted a full investigation with the help of outside cybersecurity experts, and that investigation determined that some personal information was subject to unauthorized access,” Watne said. “The security of the information in our care is one of our highest priorities, and we have important steps to help prevent this from happening again,” Watne said.
The Allison did not respond to a question about whether it has paid a ransom or would consider doing so.
The attack has attracted the attention of online researchers and national cybersecurity publications because of the hackers’ unusual approach.
Typically, cybercriminals publish any stolen data on the “dark web,” a portion of the internet that requires special browsers to access and doesn’t typically show up in online searches.
In this case, the hackers published the data on a public website, findable through a simple Google search. The site purports to list dates of guests’ stays, as well as employees’ birthdays, phone numbers and Social Security numbers.
Callow said the attack appears to be a kind of experiment by the hackers as they seek tactics to force their victims to pay ransomware. If it succeeds, he warned the tactic may become commonplace and private information may be more readily available online.
“They’re likely doing this to see how much it moves the needle in their favor,” Callow said. “Their may not simply be to try to squeeze the money out of The Allison. It may also be to pressure their future victims who look at what happened to the Allison and think, I don’t want to go through that.”
Callow attributes the attack to the ALPHV/BlackCat ransomware organization. While several well-known Oregon brands have been hit by cyberattacks in recent months, Callow said there’s no reason to believe hackers targeted The Allison, specifically. Most likely, he said, it was a crime of opportunity.
“More often it’s the case that someone opened a spam email they shouldn’t have opened or a server doesn’t get patched,” Callow said.
Guests at The Allison probably don’t have to be too alarmed, he said. The only data posted for them appears to be the dates of their stay and the amount they were billed.
Employees face somewhat greater risk, because a good deal of their personal information appears to be readily accessible. Security experts generally advise people facing potential identity theft to contact national credit bureaus to request fraud alerts and credit freezes.
This article has updated with comment from The Allison and with the news that XYZ has pulled down the website with the stolen information.
— Mike Rogoway | firstname.lastname@example.org | Twitter: @rogoway | 503-294-7699