The popular hospitality and restaurant customer management platform (CRM) told media outlets that a hacker accessed its data after breaching a third-party vendor. The unidentified threat actor, who is selling the company’s data on the dark web, claims to have snatched 427 GB of data. Samples of the stolen data posted online include application program interface (API) keys, payment reports, reservation lists, and promo codes. SevenRooms has confirmed the authenticity of the data and said it’s working with experts to investigate the incident. Meanwhile, the company said its systems are not affected. SevenRooms serves a number of high-profile clients, including MGM Resorts International, The Cosmopolitan, as well as restaurants like Nobu, Wolfgang Puck, and Dishoom.
Breach Did Not Expose ‘Highly Sensitive’ Payment Information
According to SevenRooms, the malicious actor breached the file transfer interface of a third-party vendor. This exposed some information like API credentials as well as guests’ names, emails, and phone numbers. SevenRoom said the API credentials leaked by the hacker are expired. The company also noted that the breach did not expose sensitive information, like guests’ bank account details. “Our protocol is not to store credit card information in that space. SevenRooms does not collect social security numbers, bank account information, or similarly highly sensitive information from hotel guests,” the company said in a statement. SevenRooms confirmed it has disabled access to the compromised interface. This breach may have leaked the data of some of the biggest restaurants and hotel chains in the world. As of the time of writing, no restaurant or hotel has put out a statement regarding this breach. SevenRooms said it would continue to provide updates as it further investigates the incident.
Cyberattacks Targeting Hotels
There has been a rise in cyberattacks targeting businesses, and the hospitality industry has not been spared from this onslaught. Major hotels, including Intercontinental Hotels Group and Marriott, have reported high-profile data breaches this year. A leak of customer or employee data poses a serious cybersecurity threat, as threat actors can harness the stolen data to orchestrate social engineering attacks. Cybercriminals are using increasingly sophisticated phishing schemes to trick unsuspecting victims into handing over sensitive details, money, and other valuable assets. Interested in learning how to protect yourself from social engineering attacks? Check our in-depth guides to phishing and social engineering.