Cyber Incident Victim: Radisson Hotels Americas

On or around May 31, 2023, Choice Hotels International confirmed that guest data from its Radisson Hotels Americas chain had been compromised as part of a massive hack targeting the MOVEit file transfer system. This attack was carried out by the Cl0p ransomware gang. The Radisson Hotels Americas brand, which comprises nearly 600 hotels operating and under development, had been acquired by Choice Hotels in August of the previous year. The company stated that a vulnerability in the MOVEit software, supplied by an external vendor, was exploited by malicious actors, resulting in data breaches affecting many of the vendor's customers, including Radisson Hotels Americas.

Choice Hotels reported that its investigation into the incident was ongoing at the time of the confirmation. Despite the investigation not being fully complete, the company had identified that a limited number of guest records were accessed by the attackers. The international hotel group, which is the parent company of more than a dozen hotel chains ranging from higher-end brands like the Ascend Hotel Collection and Clarion Pointe to economy motels such as Rodeway Inn and Econo Lodge, did not reveal if any of its other brands were impacted by the MOVEit hack at that time.

The Cl0p ransomware gang, which has been linked to Russia, did not post any data allegedly stolen from Radisson on its dark web leak site following the breach. As part of its common tactics, the gang publicly accused the company of not caring about its customers' data and ignoring its security, a message it typically directs at victims who refuse to negotiate a ransom payment. In an abundance of caution, Choice Hotels stated it was in the process of notifying the guests whose information was affected by the breach.

This incident was part of a much broader campaign by the Cl0p gang exploiting a zero-day vulnerability in the MOVEit Transfer application, which is distributed by the American software company Progress. The software is used by thousands of companies globally to securely send and receive files. Experts estimated that approximately 3,000 deployments of the MOVEit application were active when the vulnerability was first discovered. The gang began leaking the names of victims affected by the MOVEit attacks on June 14th, with at least 120 victims listed on its leak site shortly thereafter. More victims were expected to be announced in the subsequent weeks and months.

The MOVEit attack followed a similar pattern of exploitation by the Cl0p gang, which had made headlines in March of the same year by claiming responsibility for a zero-day attack against the Fortra GoAnywhere file management system. That previous incident affected roughly 120 companies worldwide, and it was thought the number of MOVEit victims would be at least double that figure. Notable victims of the MOVEit attacks included Siemens Energy, UCLA, the NYC Department of Education, and Shell Global, which was hit in both the GoAnywhere and MOVEit campaigns and was the first victim claimed by the ransom group in June. Other significant organizations impacted included professional services firms PWC and Ernst & Young, technology company Sony, and several US federal agencies such as the Department of Energy and the Department of Health and Human Services.

In response to the widespread threat posed by the gang, the White House recently issued a $10 million reward for any information leading to the arrest of a Cl0p member. The gang commonly employs a "double-extortion" technique, which involves both stealing and encrypting victim data. If a ransom is not paid, the gang refuses to restore access to the encrypted systems and publishes the exfiltrated data on its leak site. The confirmation from Choice Hotels regarding the Radisson data breach added another significant name to the growing list of organizations affected by this widespread and coordinated cyber attack. The company emphasized its serious approach to cybersecurity and privacy, noting that significant resources are dedicated to continuously monitoring the cyber landscape and following guidance from regulators to evaluate and adjust its security posture as needed. The primary impact was the confirmed access of a limited set of guest records, with the corporate response focused on investigation and customer notification.