POV: IHG's Recent Data Breach Wasn’t Due to a Weak Password

Instead, a successful phishing scam was ultimately what led to the data breach.
data breach word cloud

As more details come to light regarding the recent IHG data breach, one thing becomes clear: employee training to detect suspicious phishing emails must become a priority. Many news outlets have made it seem that a weak password was the cause for the company’s recent security breach, but if the hackers -- TeaPea -- who are claiming responsibility for the breach are to be believed, this really isn’t the case. TeaPea told the BBC that they were only able to gain access to the company’s internal IT network after an employee was tricked into downloading a malicious piece of software via a booby-trapped email attachment.

Interestingly, TeaPea says that they employed the phishing attack AFTER their initial ransomware attacks were prevented by IHG’s IT security team. So IHG was very successful, at first, at foiling the hackers.

After gaining access to the company’s internal IT network via the phishing email, however, the hackers were able to find the username and password to the company’s internal password vault. According to TeaPea, IHG made the mistake of allowing all 200,000 employees access to the vault (and the vault itself was protected with a very weak password: Qwerty1234). IHG disputes this claim and told the BBC that the password vault details were secure and that the hackers had to evade multiple layers of security to access it.


Regardless of how the hackers accessed the password vault, the fact remains that they would never have been able to get to it in the first place if IHG's employee had correctly identified the email as a malicious phishing scam and flagged it to the IT team.

This reveals just how important ongoing IT security training is for all levels of employees within a company.

“Unfortunately, in an industry where hospitality and customer service is the primary directive, employees are predisposed for being kind and willing to give to much information," says Andy Rogers, Senior Assessor of Schellman, a global cybersecurity assessor. 

Mike Parkin, Senior Technical Engineer at Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation, agrees.

"Front line hospitality workers are in an industry where customer service and customer satisfaction are the highest priority and cybersecurity is not the greatest concern at the front desk," Parkin says. "Even when they have had the appropriate training, they are often in situations where security takes a back seat to providing quality customer service. That makes these employees a good target for social engineering, which is something threat actors know well."


For hoteliers, recognizing this as a true weakness and doing what they can to remediate this problem is a necessity.

First and foremost, this means helping employees to "feel as if they are part of the shield [protecting] a company, its customers and IP. Many employees go through [training] and never think nor understand the role they play" in protecting their job, their company, and their guests, explains John Bennett, Global Head of Government Affairs in the Cyber Risk Practice, Fellow of the Kroll Institute and former Assistant Director of the FBI. 

Additionally, companies can "include a couple of questions on protecting the company from cyber-threats on performance evaluation forms," says Alan Brill, Senior Managing Director in the Kroll Cyber Risk Practice and Fellow of the Kroll Institute. "This practice seems to make it real and more important to employees. People tend to focus on things that they’re measured on. Taken seriously, this can make a difference in attitudes and behaviors.”


Once employees are aware of the role they play in protecting the company, they must then receive regular and high-quality training on a variety of phishing attacks.

"The only thing to combat a well directed phishing attack such as this is training employees and ensuring you’re doing your own high quality phishing (email), vishing (video), Smishing(SMS), and social engineering (includes phone, physical access, and other types of access) campaigns internally," Rogers says. "This reinforces the training and it works to ensure that your employees are skeptical of individuals attempting to get sensitive information and get the upper hand in your organization.”

Just remember, an hour long security training session once a year is likely to be highly ineffective. Instead, consider multiple short training sessions regularly. 

"What we see when discussing hacking events are clients offering either no training or very long, time-consuming training sessions," Rahul Mahna -- Managing Director at EisnerAmper’s Outsourced IT Services team. "Our experience has been the best education is what we call 'learning snacks' or  micro training sessions of 2-5 minutes. We have found it greatly enhanced employee acceptance and education success in this methodology because it is easily digestible, and the information is more likely to be retained by the employees.”


Hoteliers can take additional steps to prevent criminals from gaining access to internal systems. For instance, Eric Sackowitz, co-founder and Chief Technical Officer of SecureCo, recommends that hoteliers reevaluate their use of email.

"Email systems are too intimate with business applications and are typically installed on the same workstations for convenience," Sackowitz says. "Perhaps, as a safer alternative, it's time to look at sandboxing or bifurcating critical systems over one’s that converge with public delivery. Perimeters are still necessary. Additionally, there are technologies that can block or proxy any outbound URL from email that will minimize risk."

Brands may also consider "a comprehensive security program that encompasses user testing and other software or services-based email protection,” says Max Shier, vice president and chief information security officer at Optiv Security. “Employee training is just one factor of an effective security program, and several layers of defense need to be considered when trying to prevent phishing attempts from being successful. A strong and resilient security posture starts from within.”

This ad will auto-close in 10 seconds