Cyber Incident Victim: Finland

A data breach impacting multiple hotels in Finland occurred between February 10 and February 14, 2022, targeting systems operated by a service provider for Nordic Hotels and Resorts (Nordic Choice Hotels). The breach specifically affected Helsinki-based properties Hotel Kämp and F6 Hotel, compromising personal data of 15,947 customers accumulated from 2019 onward, though not all guests during that period were impacted. Exfiltrated information included full names, phone numbers, physical addresses, email addresses, and dates of hotel stays. Nordic Choice Hotels became aware of the incident on April 9, 2022, and formally reported it to Finland’s Data Protection Ombudsman and the Finnish Police on April 12. The company confirmed the attack also affected several other Finnish hotels beyond their portfolio, though specific identities remained undisclosed due to contractual arrangements between the compromised service provider and impacted establishments.

Nordic Choice Hotels notified affected customers via email, disclosing the nature of the exposed data and confirming the breach originated from their third-party provider’s systems. The company stated the vulnerability enabling the attack had been remediated by April 2022, declaring online reservation systems secure for future bookings. No financial data or payment card information was confirmed as compromised in the breach. Internal investigations and coordination with the external provider continued following the mandatory regulatory notifications. The hotel group emphasized prioritizing guest safety but did not disclose specific forensic findings regarding the attack vector or perpetrator identity. Impact assessments indicated the breach scope might expand as additional hotels linked to the same service provider could be affected, though no further details were verified at the time of disclosure.