Hotel Ditches Key Cards After Ransomware Attack

John Lister's picture

Hackers have forced a hotel to ditch its electronic room key system and return to physical keys. But reports that guests were locked in and out of their room turned out to be overblown.

The Seehotel Jaegewirt in Austria has been targeted by at least four different attacks on its computer system. The most recent involved the system data being encrypted and the hackers demanding a payment in the virtual currency Bitcoin equivalent to around $1,600.

The hotel mentioned the attack in a press release designed to raise awareness and warn other hotels of the need to maintain security. A news agency picked up the story and ran it, leading to a report on an Austrian news site. That in turn got picked up by English language sites and it quickly spread worldwide.

Reports Include False Claims

It turns out that somewhere between the news agency rewriting the press release and the English language sites translating the story, the facts got distorted. International reports claimed the attack had disabled the electronic key recognition system such that guests were locked out of their rooms. Some reports even suggested guests might have been locked inside their room.

The hotel says this is not true and doesn't reflect the facts it stated in its press release. It says the actual effect of the system data being compromised was that it was unable to program electronic key cards for new guests checking in. (Source: theverge.com)

Hotel Pays Ransom

That did prove disruptive enough that the hotel management decided the only option was to pay the ransom rather than turn guests away. It's now decided that the next time it refurbishes rooms, it's going to ditch the electronic locks for old-style physical keys. (Source: gizmodo.com)

What's Your Opinion?

Is the hotel right to ditch electronic locks for physical keys? Should it concentrate on improving cyber security instead? Are you surprised that the attackers asked for a relatively low amount?

Rate this article: 
Average: 5 (5 votes)

Comments

Dennis Faas's picture

I think I've mentioned this before, but I'll say it again. Any time a system is compromised with ransomware, it is likely the same hackers will still be able to access the system, and are likely to wreak more havoc later on. As such, the revelation that this hotel was attacked four times (or more) in the past doesn't surprise me.

As for spending more on cyber security - that is probably a good idea. It sounds to me like they need to completely separate all their systems - including the key generator system - then virtualize those systems into virtual machines, with backups of data stored separately on yet another machine. If one of the systems gets infected, revert the machine to a previous state and then point to the current data.

ecash's picture

Why does every corp like Automated systems...
Take the 1 person out thats in the middle..
Yes they could of had a system on the net, but THEM transfer data with a HUMAN..
ASK any one to the major corps...
IF there were a individual IN THE MIDDLE/sysop/admin/??? watching, monitoring transferring data...Watching for that person DOWNLOADING 8tb of data or a strange UPLOAD, that SHOULD be analyzed BEFORE RUNNING...
MOST of this STUFF would not happen...
BUT who wants to pay for 3-5 extra people to do this job, when a COMPUTER can do it..

dbrumley3077's picture

You are entirely correct. What's to keep this outfit from hacking the hotel's systems again and acquiring customer's credit card information? I'm surprised they didn't go after that instead, unless they tried and failed. It could be these hacker's attack methods were not all that sophisticated, but the fact they did succeed probably has encouraged them to continue.

DarthSolo's picture

Outstanding article!

I think the low cost is directly associated with how much it will cost to re-deploy a clean system, in this case it may just be a day or two with a good backup plan in place. I would think the cost that is asked is directly associated with the price of fixing it in house, but for about 75% or so less for an immediate remedy, which of course may only be for a while once the attackers consider that you have paid once and you will more than likely pay again.

Sometimes it’s worth paying the money just to be operational, depending on how much money you are losing while its happening. It’s really a numbers game when it comes down to it, but never forget that all anyone is ever buying is time when we submit to ransom. This time is used to plug holes, crack down and repair, in this case, they may still be scratching their heads about how it happened; and its cheaper to discard the tech and go old school. All a numbers game.

It’s funny how fast the IT industry has grown over the years. Why did hotels switch to electronic access vs metal keys? It must have been more profitable, more secure, more audit capable; but we forget that most things are only secure though obfuscation. Once everyone knows how to crack something, it’s no longer secure, and obscurity has its price. Even with keys, we may be going around in circles in regards to how to break in; let’s move forward and not back.

Data ransom isn’t something I think anyone should pay, it’s just a symptom of an underlying illness that needs to be healed by professionals that will implement working and functional policy.

When I get really sick, I might try to pound some fireball (fireball clears the sinuses, ha-ha!) and hope things get better, and sometimes that works to alleviate the pain, but sometimes I find myself visiting the doctor for antibiotics because the symptoms just won’t go away.

Keep it tight IT!

guitardogg's picture

I understand how a business can crank the numbers, and decide it's okay to pay the ransom. But even if it hurts, they should NEVER pay these scumbags! If no one paid, they would never make a profit, so in theory they would stop. Yes, they would probably move on to some other illegal hacking, but it would shut down the ransoms. Consider it a cost of doing business. Good backups, on completely separate systems, protects you from these kinds of attacks. In my long career in IT, I know how hard it is to get management to spend money on something that might happen. Hopefully these kinds of attacks will give IT some leverage in convincing management to invest in security!!