OSLO, NORWAY — A recent ransomware attack on Nordic Choice Hotels was shut down within six hours and without any compromise to guest data, but the company's vice president of technology said it was imperative to be transparent about the breach with all stakeholders, including guests.
Speaking to Hotel News Now during the Hospitality Sales & Marketing Association International Europe TV Event at the Amerikalinjen Hotel, Kari Anna Fiskvik said hackers managed to infiltrate a third-party vendor that had completed bookings with the hotel firm on Dec. 1, 2021. The incident holds lessons for companies large and small across industries, from hospitality to retail to commercial real estate.
The third-party firm’s mail server was breached, leading to a hotel employee inadvertently clicking on a false link.
“We did not see [the criminals] when they first entered the system, but we saw them when they started encrypting our data … and then we shut everything down,” Fiskvik said.
Oslo-based Nordic Choice Hotels operates approximately 220 hotels across brands Clarion, Comfort and Quality Inn throughout Scandinavia and the Nordics.
Fiskvik said the company was not well-versed in best practices for responding to cyberattacks, but once the situation was in hand, within five to six hours, one of the first priorities was to alert and assure stakeholders.
“Even though we hear about it all the time, it still is sort of a little sci-fi,” she said, adding that additional training in resolving problems such as fire alarms and power outages prepared staff for the much rarer occurrence of a ransomware attack.
“Hotels obviously do have back-up practices … so we used these same practices when we got attacked. [Teams] were already drilled in these routines," she added.
She said crisis management is an everyday matter, and the staff is prepared for problems to potentially occur at any moment.
“They were good at improvising, good at [instigating] power-down keys, they had back-up lists of their customers and their rooms, so we enforced all of those routines," she said.
“We had an infrastructure team that was monitoring the environment, took everything down and followed their routines. And we had a software team in a security-operations center, a specialist team … [this] is everything they do, and we were very dependent on their competence,” she said.
Fiskvik added the authorities were contacted in all the countries in which Nordic Choice has hotels, but offered little help due to overwork and a general lack of knowledge.
“The law and their enforcers need more training in how to deal with this kind of criminality, which is really racing; and that is a mindset [law-abiding people] know very little about,” she said.
Specialist partners are key to quickly assess and resolve such crises, she said, noting information was shared with authorities as the situation unfolded.
“It is very hard to do it on your own,” she added.
Tools Down
Fiskvik said the hotel firm first made sure all internet channels were shut down. Communications were switched to cloud-based systems.
“This is hard,” she said, “as it is expensive,” adding not having all tools bundled in one environment is a waste of time and money in the course of most days, but is necessary when a business is attacked.
“The tech team then looked at who was behind [the attack] and how bad it was, and then we divided into teams. Some worked with communications, some worked with guest [relations]; some worked with the hotels; some were still doing forensics,” she said.
Specialist help was provided to hotel staff, some of whom did have personal information compromised in the attack.
Having a backup plan and backup systems helped to get the situation under control quickly, she said.
“It was important for us that we had several platforms, so that if one is taken down … we can communicate on [another]. We actually converted over 2,000 computers to a completely new [operating systems] within 48 hours, a world record,” she said.
“It is also very important to plan out how we will communicate with our employees and guests and everyone else who is affected. And for us, it was also the press. We got a lot of attention from the press very early on, a bit earlier than I had anticipated," she said, noting there had been several other cyberattacks in Norway and the region at the time, so the issue was getting a lot of attention.
The European Union's General Data Protection Regulation laws presented another challenge in communicating the relevant details of the breach to guests.
“According to GDPR laws, you can’t communicate with guests without consent, and that became a problem when we needed to communicate to them on something that had nothing to do with marketing,” she said.
First Service
She said during those first critical hours of the breach, all executive staff canceled their agendas, while front-line staff did what comes naturally to them.
“[Staff] gave out free champagne to people in line. They solved every issue there at their hotels, and the fact that they are service-oriented, have that culture in place, that definitely was a major part in getting so quickly back up,” she said.
“It is people helping people,” she said.
She also said success comes down to hiring the right people — staff who are able to come up with solutions, are people-oriented and understand what the fundamentals of the business are.
“And keep the spirit up,” she said.
She said GDPR compliance, testing and cognizance was critical in preventing guest data from being compromised, which also made messaging about the attacks easier.
“No one will want to stay at your hotel if they do not believe their data is safe,” she added.
Fiskvik said that even though the crisis is over, efforts are ongoing to repair the damage and shore up systems security.
“We were back up running to 80%, 90%, within a couple of weeks … with the booking system that was not affected, but we are still doing clean-up,” she said.
“We’re still cleaning up Windows machines, key-card service. We still have not opened fully internet services, and that clean-up will be ongoing for weeks. … It is not a sprint, it’s a marathon,” she added.
No payments were made to the hackers.