Nordic Choice Hotels, a chain with more than 200 hotels in Scandinavia and the Baltic countries, is still grappling with technology issues and the aftermath of a data breach following a December 1st ransomware attack.

Immediately after the incident, the company shut down corporate computers, check-in counters and machines such as music systems and disconnected computers from the Internet, said Kari Anna Fiskvik, vice president of technology at Nordic Choice.

Kari Anna Fiskvik, Vice President of Technology at Nordic Choice Hotels


Photo:

MAIA HANSEN / AI-AM

Hotel staff recorded the check-in details with pens and paper and escorted guests to their rooms because digital key cards were not working, Ms. Fiskvik said. Just when hackers struck, the hotel industry was booming again after long lockdowns caused by pandemics.

“We were a good target because we were already tired,” she said.

More than five weeks after the hacking attack, malfunctions continue to occur in machines that provide heating, music and other services, she said.

Nordic Choice, an independent franchisor based in Rockville, Md.

Choice Hotels International Inc.,

operates hotels in Norway, Sweden, Denmark, Finland and Lithuania. A spokesman for Choice Hotels International said there was no evidence that the attack compromised its technology systems.

An investigation found that hackers infiltrated Nordic Choice’s systems 36 to 48 hours before the attack began through a phishing email apparently sent by a tour operator who was in frequent contact with the company, Ms. Fiskvik said.

Ransomware attacks are becoming more common, casualty losses explode, and hackers postpone their targets. WSJ’s Dustin Volz explains why these attacks are increasing and what the US can do to combat them. Photo illustration: Laura Kammermann

WSJ Pro cybersecurity

Cybersecurity news, analytics, and insights from the WSJ’s global team of reporters and editors.

A hotel worker believed the message was legitimate and clicked a malicious link, she said. Hackers then removed most of the hotelier’s antivirus systems and copied data from local Windows files, she added.

On the hotel network, the hackers installed ransomware called Conti – the same type that has paralyzed a number of corporate victims in the past few months, plus Ireland’s public health system in 2020.

The Retail and Hospitality Information Sharing and Analysis Center, a non-profit group that promotes the exchange of information about cyber threats, warned its members of increased ransomware attacks in October. Retailers and hoteliers should take security precautions, such as the use of multifactor authentication for web-based mail applications and other critical systems, urged RH-ISAC.

Hackers left a message on Nordic Choice computers explaining how they could be contacted to decrypt locked data, but did not provide any ransom amount. The company had no plans to speak to the attackers or pay a ransom, Ms. Fiskvik said. However, last week she discovered that someone had responded to the hackers in late December when the tech systems were restored despite warnings from her team, leading the hackers to charge $ 5 million. Still, the company didn’t pay.

Ms. Fiskvik doesn’t know who contacted it, but it could be anyone with access to the ransom note that was available on all hotel computers, she said, adding that she reported the communications to the police.

Otto Johansson, Service Crew Manager, manually tracks room status at the Quality Hotel Winn in Gothenburg, Sweden.


Photo:

DAN BERGSTEN / QUALITY HOTEL WINN

The morning after the attack, Nordic Choice’s operations and technology teams set up a crisis team and decided to expedite an existing plan to move from

Microsoft corps

Windows system too

alphabet Inc.’s

Google Chrome Products. Before the attack, Ms. Fiskvik’s team had planned to convert thousands of hotel computers and service machines from Windows to Chrome as part of a sustainability initiative. She pushed the migration forward to help restore operations. Technicians didn’t have to go to hotels to pick up and clean computers, she said.

The team converted the first computer within 24 hours of the attack and restored the first hotel to operation within 48 hours by performing bookings and check-ins in Chrome. The group migrated around 2,000 computers to 212 hotels in two days, saving weeks of work, she said.

Replacing or changing technology after a cyber attack can be difficult and create new security issues, said Bryon Hundley, vice president of intelligence operations at RH-ISAC.

Rasmus Stridh Halvorsen, an employee at the Xpress Central Station hotel in Oslo, learns how to use Google’s Chrome products after a ransomware attack in December.


Photo:

Majken Helen Evensen

The victim company is already in a vulnerable position, said Mr Hundley, and experts need to test several security aspects like multifactor authentication and identity management of the new products. “It’s so complicated to adopt these technologies to make sure they work and still maintain a good customer experience,” he said.

While Nordic Choice was working on the restoration of technical systems, hackers released personal data of employees on the darknet, including details of their bank accounts and government-issued identification numbers. At the time, they claimed the data published was 10% of what they had stolen.

A few days later, they released more information, saying it was 20% of the total.

The company held virtual meetings to inform employees of the dark web posts and instructed executives how to help data subjects protect themselves from identity theft. “It was definitely very difficult for our employees to know that data about them was available on the internet and publicly accessible to anyone with a link,” said Ms. Fiskvik.

Hackers did not access systems containing customer information, she said.

Nordic Choice notified the Norwegian Data Protection Authority of the data leaks and continued to monitor the dark web, she said. Companies must quickly inform the supervisory authorities of a personal data breach in accordance with the European General Data Protection Regulation.

Ms. Fiskvik’s team is developing a brief cybersecurity training program to provide employees with easy-to-digest information about hacking threats, such as weekly lessons on how to spot malicious links or understand other threats. “Most people just can’t keep up. It’s just not what they know We’re hoteliers, we’re not tech experts, ”she said.

Write to Catherine Stupp Catherine.Stupp@wsj.com

Copyright © 2022 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8