A cyber-attack on a hotel reservation system has exposed the personal data of thousands of guests who stayed at upscale Finnish hotels.
News of the security incident, which has impacted at least five hotels, was first reported by Finnish news agency MTV on Tuesday.
Between February 10 and 14, cyber-attackers exploited a vulnerability to hack into the company’s computer system that supplies the booking system to multiple hotels across Finland. After the hack was discovered on April 9, the vulnerability was patched.
Nordic Hotels & Resorts disclosed that the personal data of 15,497 of its customers had been compromised owing to the attack on the booking system used by two of its Helsinki-based hotels – the boutique F6 Hotel and the grand and luxurious Hotelli Kämp.
The breach reportedly affected only those guests who booked directly through the hotels’ websites.
“The booking system for one of our suppliers’ websites was compromised. The attack affected two of our hotels,” said Jonathan Blom, communication advisor at Nordic Hotels & Resorts.
He added: “We try to work closely with our suppliers and our IT support team to prevent things like this from happening, but unfortunately there are criminals who commit crimes to gain access to information.”
Blom said on Tuesday that several other hotels in Finland had been affected by the cyber-attack. The incident has been reported to the Finnish police and the country’s data protection commissioner.
On Wednesday, MTV reported that the data breach occurred when an international reservation system operated by American travel technology company Sabre Corporation was hacked.
The news agency reported that three additional hotels in Finland had been affected by the data breach. The number of guests whose personal data was compromised has now reportedly risen to at least 20,000.
“The reporter of the program office has announced that the case also concerns three other hotels in Finland,” Helsinki Police criminal inspector Jukkapekka Risu told MTV.
Information compromised in the hack includes hotel guests’ names, addresses, phone numbers, email addresses and the dates of their reservations. The data breach is not believed to have exposed any sensitive identity documents or financial payment card information.