Cyber Incident Victim: Seehotel Waldstätterhof
Date:
Jan 2024
Location:
Switzerland
Summary
Hackers compromised an old external software program associated with Seehotel Waldstätterhof, enabling them to send fraudulent emails impersonating the hotel to hundreds of guests. The phishing attempts aimed to steal credit card details by prompting recipients to verify payment methods under threat of reservation cancellation. The hotel promptly alerted affected individuals, assured them their bookings remained valid, and corrected an initial error exposing all recipients' emails. While attackers accessed guest email addresses and upcoming stay dates, no sensitive financial or personal preference data was breached. The establishment implemented measures to prevent future incidents and advised potentially compromised guests to contact their banks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early January 2024, the Seehotel Waldstätterhof in Brunnen, Switzerland, experienced a cyberattack involving phishing emails sent to hundreds of guests. Attackers compromised an outdated external program previously used by the hotel for guest personalization services, which had been inactive for several years. Through this breach, the hackers obtained future reservation dates and guest email addresses but did not access the hotel’s primary reservation system, internal servers, or sensitive data such as credit card details or personal preferences. The attackers forged highly convincing emails impersonating the hotel’s reception staff, complete with official branding, staff names, and photos. These emails falsely claimed reservations would be canceled within 24 hours due to "payment method verification issues" and directed recipients to click a link to submit payment details, emphasizing no immediate charges would occur. At least one guest, Andreas Habegger (a pseudonym), nearly fell victim due to the email’s professional appearance and personalized content, though he ultimately did not engage. The hotel detected the attack after receiving alerts from affected guests and immediately issued personalized warnings via email and its website, instructing recipients to ignore the phishing attempts and confirming all reservations remained valid.
The hotel’s initial response email inadvertently exposed all recipient addresses, revealing the attack’s scale—impacting several hundred domestic and international guests. Within two days, management provided a detailed update attributing the breach to the compromised legacy program, clarifying that hackers reactivated it solely to extract contact information and reservation dates. No financial or highly sensitive data was stored in this system, limiting the attackers’ access. The hotel confirmed the phishing campaign aimed exclusively to harvest credit card information through deceptive links and advised guests who had submitted such details to contact their banks for card blocking. Operational impacts included temporary reputational damage, guest inconvenience, and coordinated IT remediation efforts with external partners to decommission vulnerable systems and prevent recurrence. No direct financial losses or reservation cancellations resulted from the attack, though the incident necessitated public transparency and reinforced the risks associated with retired third-party software integrations.