At the end of September 2023, the Motel-One hotel chain was the target of a serious hacker attack in which, according to public information, more than 6 terabytes of customer data, including sensitive personal information such as addresses, telephone numbers, dates of birth and overnight stays, were disclosed.
Dieter Müller, co-founder and partner of Motel-One, whose own data was also compromised, appeals to political decision-makers to significantly strengthen national cyber defense mechanisms as a result of the significant data leak.
Comment/Opinion:
While Müller's call to politicians for increased cyber defense initially seems entirely justified, it is important to emphasize that data security and protection are first and foremost an internal company responsibility. Possible own failures should not be blamed exclusively on external structures, such as the federal government or the Federal Office for Information Security (BSI). The BSI offers extensive information and guidelines that support companies in implementing effective cyber defense strategies, although absolute protection against cyber attacks can never be guaranteed. Efficient internal measures and mechanisms, such as the use of anomaly detection systems such as Splunk, can act proactively to identify illegal data movements at an early stage and take appropriate countermeasures.
Consideration of international security standards, such as compliance with the ISO 27001 standard, can also be considered an integral part of a robust cybersecurity strategy.
Even if it may have been a failed ransomware attack, here is some important background information about the hacker group ALPHV that claimed responsibility for the attack and its connection to the ransomware development platform “BlackCat”: BlackCat, a highly dangerous data encryption software that is available as software -as-a-Service (SaaS), which is also available to non-technical cybercriminals, opens up the possibility of encrypting companies and extorting them, while the developers pocket a share of the extorted ransoms.
We believe the emergence of 2016 data also raises serious questions about the hotel chain's General Data Protection Regulation (GDPR) compliance and calls for additional internal adjustments to data storage practices.
Ultimately, it would be advisable for companies like Motel-One to focus primarily on optimizing and strengthening their own cybersecurity instead of focusing on external regulations. Unfortunately, it is often seen that in-house IT departments believe that they can completely get IT security under control on their own. However, IT security is a separate and extensive field. Engaging experts such as Redteamers and ethical hackers (white hat hackers), conducting penetration tests, and implementing other proactive security measures are the company's direct responsibility and should be taken seriously as such.
