Describing themselves as a couple from Vietnam, they say they first tried a ransomware attack, then deleted large amounts of data when they were foiled.
They accessed the FTSE 100 firm’s databases thanks to an easily found and weak password, Qwerty1234.
An expert says the case highlights the vindictive side of criminal hackers.
UK-based IHG operates 6,000 hotels around the world, including the Holiday Inn, Crowne Plaza, and Regent customers.
Teapea Personally Identified Itself As IHG Hacker
On Monday last week, customers reported widespread problems with booking and check-in.
For 24 hours IHG responded to complaints on social media by saying that the company was undergoing system maintenance.
Booking channels and other applications have been significantly disrupted since yesterday, it said in an official notice lodged with the London Stock Exchange.
The hackers, calling themselves TeaPea, contacted the BBC on the encrypted messaging app, Telegram, providing screenshots as evidence that they had carried out the hack.
The images, which IHG has confirmed are genuine, show they gained access to the company’s internal Outlook emails, Microsoft Teams chats, and server directories.
Our attack was originally planned to be ransomware but the company’s IT team kept isolating servers before we had a chance to deploy it, so we thought to have some funny [sic]. We did a wiper attack instead, one of the hackers said.
A wiper attack is a form of cyber-attack that irreversibly destroys data, documents, and files.
The hackers’ change of tactic seems born out of vindictive frustration, he said. They couldn’t make money so they lashed out, and that betrays the fact that we are not talking about ‘professional’ cybercriminals here.
Customers’ Data Untouched In Fun Hack
IHG says customer-facing systems are returning to normal but that services may remain intermittent.
The hackers are showing no remorse about the disruption they have caused the company and its customers.
We don’t feel guilty. We prefer to have a legal job here in Vietnam but the wage is average at $300 per month. I’m sure our hack won’t hurt the company a lot.
The hackers say no customer data was stolen but they do have some corporate data, including email records.
TeaPea says they gained access to IHG’s internal IT network by tricking an employee into downloading a malicious piece of software through a booby-trapped email attachment.
