Play Ransomware Gang Claims Responsibility for Cyber Attack on H-Hotels

By   Adeola Adegunwa
Writer , Informationsecuritybuzz | Dec 20, 2022 05:00 am PST

H-Hotels ( have recently been the target of a cyber-attack, which has led to disruptions in the company’s communication systems. The Play ransomware gang has claimed responsibility for the attack. At this point, it is unclear whether the claims made by the Play criminal gang are genuine; however, H-Hotels is looking into the matter as quickly as possible.

The Play ransomware gang is a notorious group of online criminals that has been operating for a number of years now. They are notorious for targeting businesses and organizations with ransomware attacks and frequently demanding large sums of money to decrypt information they have stolen. In the past, the organization asserted that it was responsible for several high-profile attacks, such as those carried out against the City of Johannesburg in South Africa and the University of California, San Francisco.

H-Hotels are renowned hospitality company that operates 60 hotels in 50 locations throughout Germany, Austria, and Switzerland, offering 9,600 rooms. The hotel chain has a workforce of 2,500 and is one of the largest in the DACH region, operating under the name ‘H-Hotels’ as well as the sub-brands Hyperion, H4 Hotels, H2 Hotels, H + Hotels, H.ostels, and H.omes.

Last week, H-Hotels disclosed that it had suffered a cyberattack on Sunday, December 11th, 2022. According to the company’s security incident notice, “cybercriminals managed to breach the extensive technical and organizational protection systems of [H-Hotels’] IT in a professional attack.” In response to the attack, the company’s IT systems were immediately shut down and disconnected from the internet in an effort to prevent further spread.

Although the attack did not affect guests’ bookings, hotel staff are currently unable to receive or respond to customer requests sent via email. As a result, it is recommended that customers contact H-Hotels by phone if they have any inquiries. H-Hotels has informed the German investigative authorities of the incident and is working with an IT forensics firm to restore its systems as quickly as possible. The company has also stated that it is taking steps to ensure that it will be adequately protected against similar cyberattacks in the future.

Why H-Hotel?

The reasons why the Play ransomware group may have targeted H-Hotels are still unclear at the moment. However, it is possible that the attackers found a weakness in the company’s cybersecurity defenses and saw an opportunity to launch a successful attack. This is something that would definitely be looked upon critically. Before launching an assault, ransomware gangs frequently engage in extensive research and reconnaissance to identify potential targets and plan their assaults following those targets.

Allegedly Stolen Data in the attack

H-Hotels, which operates under the domain name, was the target of a cyber-attack that was recently claimed by the Play ransomware gang. The gang also listed the company on its Tor site, claiming it had stolen an unknown quantity of data during the attack. The ransomware group claims that the stolen data includes confidential and personal information such as client documents, passports, and identification cards. Nonetheless, the group has not presented any evidence to support these claims.

H-Hotels have denied seeing any evidence of data exfiltration in the attack and has not provided any updates on the matter since the attack was first announced. H-Hotels has not provided any evidence of data exfiltration in the attack. A statement issued by the company reads as follows: “As of right now, the commissioned IT forensic scientists do not have any evidence to suggest that the cyber-attack could have stolen sensitive or personal data.” “If these investigations reveal the existence of a data outflow of personal data, will notify the individuals whose data was compromised.”

The General Data Protection Regulation (GDPR) says that if a company based in the EU has a serious data breach that affects customer information, it could have serious consequences. The potential disclosure of hotel guests’ personal and booking information could constitute a severe invasion of their privacy, as it could lead to the disclosure of information regarding their future travel plans, finances, and other sensitive details.

What kind of impact does this have on H-Hotels’ finances?

It is currently unknown how much the attack on H-Hotels will cost the company financially, but ransomware attacks are known to be expensive for businesses. In 2019, ransomware attacks were expected to cost businesses more than $11.5 billion, according to a report by Cybersecurity Ventures. This number is expected to keep going up in the years to come. In addition to the cost of paying the ransom, a business may also have to pay for lost productivity, downtime, and damage to its reputation.

Mark Lamb, CEO of, offered his thoughts on the attack: “This occurrence demonstrates how premeditated criminals can be concerning the timing of their attacks.” It should be emphasized once more that the prevention of attacks should always be the primary goal, as the remediation of security incidents can frequently take months and be very expensive.

Lamb stressed the importance of teaching employees how to hack and maintain good cyber hygiene, like patching holes and keeping software up-to-date. He also stressed how important it is for businesses to have a simple way to evaluate their level of cybersecurity so that they can quickly find any holes in their system that bad people could use. Businesses with smaller cybersecurity teams and budgets will be able to better close loopholes that attackers can use to get in, improving their overall cybersecurity.

Preventing future attacks – What must be done?

A multi-pronged strategy is required to thwart ransomware attacks. Businesses should consider implementing technical safeguards like firewalls, intrusion detection systems, and backup and recovery systems. They should also train their employees and maintain good cyber hygiene practices. Businesses need to have a ransomware incident response plan that is clear and widely known so that they know what to do if ransomware is used against them.

The cyberattack on H-Hotels is a good reminder of the importance of putting cybersecurity prevention measures at the top of your list of priorities. Businesses can reduce the risk of incurring expensive and damaging security breaches if they take preventative measures to secure their systems and protect sensitive data.

Notify of
2 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Nick Tausek
Nick Tausek , Security Solutions Architect
InfoSec Expert
December 21, 2022 2:44 pm

“Even though the Play ransomware gang is a relatively new group, it has solidified its reputation as a significant threat, claiming responsibility for devastating attacks against Argentina’s Judiciary of Córdoba in August and Belgium’s city of Antwerp several weeks ago. Now, it has claimed responsibility for attacks against a major European hotel chain, H-Hotels, that has caused communications outages at the height of the travel and holiday season. More significantly, the gang has claimed to have stolen the personal data of hotel customers, potentially exposing victims to further fraud and scams.

While Play had previously focused on attacking local governments that have limited cybersecurity infrastructure in place, it is important to note that the group was able to infiltrate an extensive protection network, signifying that Play has developed capabilities to launch more professional attacks.

To mitigate the chances of similar attacks in the future, it is imperative that organizations adopt low-code security automation to help detect and respond to threats in real-time by allowing complete visibility into IT environments. Endpoint security tools that integrate low-code security automation give organizations a cohesive protection strategy that protects customers and employees as well as keeps essential communications systems up and running.”

Last edited 8 months ago by Nick Tausek
Mark Lamb
Mark Lamb , CEO
InfoSec Expert
December 21, 2022 2:43 pm

“This incident shows just how calculated criminals can be with their timings of attacks. The hotel will now be scrambling to get systems back up and running before customer bookings are disrupted and its reputation suffers irreparable damage.
It is unclear whether the claims from the Play criminal gang are genuine, so H-Hotels must investigate this urgently as ID cards and passports are the kinds of documents no one ever wants to have floating about on the dark web, particularly as changing them can be a big inconvenience during the holiday season.
This incident once again highlights that the prevention of attacks should always be the primary goal, as the remediation of security incidents can often take months and be very costly.
This mean training staff of hacking techniques and ensuring businesses employ good cyber hygiene practices, like patching vulnerabilities and keeping software up to date. It is also vital that businesses have an easy way to assess their cybersecurity posture, so they can quickly identify weaknesses that could be maliciously exploited. This will help close attacker loopholes and make cybersecurity more accessible and understandable for businesses with smaller cybersecurity teams and budgets.”  

Last edited 8 months ago by Mark Lamb

Recent Posts

Would love your thoughts, please comment.x