Cyberattack on InterContinental Hotels Disrupts Franchisees

Hotel owners complain they received one email from IHG executives explaining that the attack would shut down online reservation systems. They say they can’t respond to angry and frustrated customers’ questions because IHG hasn’t shared any details on what data was exposed in the hack.

“They should be able to share the minimum information so the hotel owners aren’t left in the dark for days on end as they are trying to address the very livelihood of their business,” said Laura Lee Blake, president and chief executive of the Asian American Hotel Owners Association, which represents around 20,000 hotel owners in the U.S.

Cyberattacks can ripple across companies’ supply chains, customers and franchisees. A ransomware attack on software firm Kaseya Ltd. last year spread to customers in several countries.

“We have not identified any evidence of unauthorized access to guest data. We remain focused on supporting our hotels and owners and throughout this period have communicated regular updates to owners and hotel teams,” an IHG Hotels & Resorts spokesperson said. IHG’s hotel brands include Holiday Inn, Staybridge Suites and InterContinental Hotels.

Hotel owners said they dealt with angry customers whose reservations were lost due to the cyberattack. Ms. Blake said her association’s members who responded to a survey about the attack, and who each own between two and five hotels, estimate losses of between $30,000 and $75,000 each. The members calculated the numbers based on recent weeks’ bookings, last year’s reservations and competitors’ bookings. Technology systems are running again, Ms. Blake said.

“Of course hotel owners are looking to be compensated for this. It wasn’t their fault by any stretch,” she said.

At a Holiday Inn in Louisiana, one customer yelled and demanded an explanation about the hotel’s handling of their credit card, said Vimal Patel, owner of the hotel and president and chief executive of QHotels Management, a hotel group based near New Orleans.

Mr. Patel and a group of other hotel owners filed a class-action lawsuit against IHG in U.S. District Court in Atlanta on Sept. 15.

“We’re worried about our financial stability when we didn’t get hacked,” Mr. Patel said.

IHG franchisees pay monthly fees to use the company’s reservation technology, the lawsuit says.

In addition to compensating franchisees, Mr. Patel wants the company to explain what data was exposed in the cyberattack and how it happened. He said executives should take responsibility for the company’s poor security.

Hotel chains are popular targets for hackers, given the breadth of personal and financial information they tend to hold on customers. Marriott International Inc. has dealt with several breaches in recent years, while in 2016, a cyberattack on IHG resulted in customer credit-card data being exposed. The company agreed to pay more than $1.5 million to settle a class-action lawsuit relating to that data breach in 2020.

Aside from the immediate technology problems, franchisees might see other effects from a cyberattack later on, such as higher rates if they try to obtain cyber insurance, said Allie Mellen, senior analyst at Forrester Research Inc. Hacked companies are legally required in many jurisdictions to disclose to regulators and people affected if personal data is exposed.

Businesses are often reluctant to reveal details of a cyberattack, especially if they don’t have strong security measures in place, she said. But withholding important details can damage customers’ trust, she added. “It’s quite damaging for them,” she said.

“One always presumes we don’t know the worst of it because they’re not coming forward,” Ms. Blake said.

Write to Catherine Stupp at Catherine.Stupp@wsj.com