Cyber Incident Victim: Nordic Choice Hotels
Date:
Dec 2021
Location:
Norway
Summary
Nordic Choice Hotels suffered a cyberattack by the Conti ransomware group, disrupting guest reservation systems and room key card operations, forcing staff to use manual procedures that caused delays in check-ins, check-outs, and booking management. The attack potentially exposed guest booking details—including names, contact information, and visit dates—though payment data remained unaffected, and no ransom demand was initially received. The hospitality group notified Norwegian authorities and warned guests about potential phishing risks while continuing remediation efforts with law enforcement. Conti, a Russian-linked ransomware-as-a-service operation known for targeting healthcare and government entities, leveraged infrastructure previously associated with Ryuk ransomware.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On December 2, 2021, Nordic Choice Hotels experienced a cyber attack attributed to the Conti ransomware group, initially described as a "computer virus" by the company. The attack disrupted critical IT systems, including guest reservation platforms and room key card operations, forcing staff across its 200 properties in Scandinavia, Finland, and the Baltics to adopt manual procedures for check-ins, check-outs, payments, and bookings. This led to operational delays for guests. The hotel chain’s loyalty program, Nordic Choice Club, was also affected, preventing members from accessing accounts to manage reservations or redeem reward points, though new bookings remained possible without logging in. Security researcher Runa Sandvik confirmed key card system failures at affected properties. Nordic Choice immediately notified Norwegian authorities, including the Data Protection Authority and National Security Authority, on the day of the attack. Initial assessments indicated no evidence of stolen passwords or payment data, but the company acknowledged a risk that guest booking information—names, email addresses, phone numbers, visit dates, and any additional details provided during stays—could have been compromised.
Nordic Choice publicly confirmed the ransomware attack on December 7, clarifying Conti’s involvement but stating no ransom demand had been received and that the company had not engaged with the threat actors. Conti, identified as a Russian-linked Ransomware-as-a-Service operation with ties to the TrickBot malware and Ryuk ransomware, had previously targeted healthcare and law enforcement agencies, including Ireland’s Health Service Executive. Nordic Choice emphasized transparency by warning guests about potential phishing attempts leveraging leaked booking data, though it reiterated no confirmed data exfiltration had occurred. Remediation efforts involved collaboration with law enforcement, with ongoing IT restoration causing persistent delays in reservation modifications and customer service operations. The hotel directed guests to email or its website for support while its call center operated at limited capacity. Business impacts included prolonged manual processing at some properties and restricted account functionality for loyalty members, with no specified timeline for full recovery.