Cyber Incident Victim: The Allison Inn & Spa
Date:
Jun 2022
Location:
United States of America
Summary
A prominent Oregon luxury resort experienced an unusual cyberattack where hackers publicly posted sensitive employee information—including Social Security numbers, birthdays, and phone numbers—alongside guest stay dates and billing amounts on a readily accessible website, diverging from typical dark web leaks. The attackers likely aimed to extort payment by exposing this data broadly. While guest exposure appeared limited to stay details, employee data compromise posed significant privacy risks. The incident garnered attention from cybersecurity researchers due to its unconventional public dissemination method, highlighting heightened visibility and potential reputational damage for the resort.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Allison Inn & Spa, a prominent luxury resort in Oregon, experienced a cyberattack in mid-June 2022 that resulted in the public exposure of sensitive data. Attackers compromised internal systems and extracted employee records containing personally identifiable information, including Social Security numbers, phone numbers, and dates of birth. Additionally, they obtained guest records listing names, dates of stays, and billing amounts. Unlike typical ransomware operations that conceal stolen data on dark web portals, the attackers published this information on a publicly accessible website indexed by standard search engines, making it discoverable through routine Google searches. This breach represented both a privacy violation and an unconventional extortion attempt, as threat actors likely intended to pressure the resort into paying ransom by escalating reputational damage through overt exposure.
The attack's unusual methodology attracted immediate attention from cybersecurity researchers and industry publications due to its deviation from standard criminal practices involving restricted-access leak sites. While the exact intrusion vector remained unspecified in initial reports, the public data dump created tangible risks primarily for employees whose exposed Social Security numbers could facilitate identity theft. Guests faced comparatively lower direct risks, as financial details and residential information weren't included in the leaked ledger. The resort did not publicly confirm whether ransom demands preceded the leak or detail any operational disruptions caused by the incident. Cybersecurity analysts noted the strategy reflected an emerging trend of attackers leveraging public shaming tactics to compel payment from victims concerned about regulatory penalties and customer trust erosion.