IHG franchisees sue over data breach

Plaintiffs say the company should have taken more steps to secure its network after a previous breach

IHG franchisees
Last week, InterContinental Hotels Group reported a cyber-attack had disrupted its reservations system. In response, a group of IHG franchisees filed a lawsuit against the company claiming IHG should have taken more steps to prevent the breach in light of warnings it received after a previous breach.

A GROUP OF InterContinental Hotels Group franchisees have filed a lawsuit against the company in connection with a cyber-attack that “significantly disrupted” its booking channels and other applications in mid-September. The lawsuit claims that IHG should have taken more steps to prevent the breach in light of warnings it received after a previous breach.

IHG implemented a response plan, including notifying the relevant regulatory authorities, working with its technology suppliers and engaging external specialists to investigate the incident, according to the company. The breach affected IHG’s reservations and customer care call centers, as well as internal systems, such as Merlin and the IHG Help Desk, according to a statement from AAHOA on the breach. The association said franchisees, including some of its members, saw a complete shutdown in guestroom bookings during this outage.

On Sept. 15, several IHG franchisees filed a lawsuit against IHG in the U.S. District Court for the Northern District of Georgia Atlanta Division alleging the company should have done more to prevent the breach. The lawsuit references a similar breach the company experienced in 2017 as an example that IHG should have taken further steps to secure its system.

“For the second time in recent years, defendants have allowed a third-party actor to access their network and disrupt numerous functions, including, but not limited to, IHG Concerto, the online platform that guests use to reserve hotel rooms at any of the approximately 3,500 IHG-branded properties throughout the United States,” the lawsuit says. “The Data Breach was the inevitable result of IHG’s inadequate data security measures and lackadaisical approach to network security. Despite the well-publicized and ever-growing threat of cyberattacks, particularly in the hospitality industry, IHG refused to implement certain best practices, failed to upgrade critical security systems, ignored warnings about the vulnerability of its computer network and disregarded and/or violated applicable industry standards.”

A couple in Vietnam claim the conducted the hack using a password commonly used by IHG employees, according to a report from the New York Post. Plaintiffs in the lawsuit include Mayur Patel as well as Park 80 Hotels and PL Hotels, companies owned by LaPlace, Louisiana-based hotelier Vimal Patel who also filed another lawsuit against IHG in 2021 over the company’s fees and preferred vendor program.

“These hackers were not pros and they were still able to do the damage. The lame password used is complete opposite of the hotel users’ password requirements when we have to access our own system.” he said. “Also, IHG charges $16.40 per room per month in technology fees in addition to a 8 cent per transaction fee for credit cards. It forces franchisees to replace hardware every three to four years at a cost of approximately $40,000 to $55,000. So, why are franchisees always left on their own to gather losses and IHG cannot be held accountable?”

IHG had its booking channels and revenue generating systems back up quickly, an IHG spokesperson told The Post.

“Our security measures following the unauthorized activity in our technology systems are continuing,” the spokesman said. “We are working closely with our technology suppliers and external specialists have also been engaged to investigate the incident. At this time, we have not identified any evidence of unauthorized access to guest data. We remain focused on supporting our hotels and owners.”

The spokesman could not give a comment on pending litigation.

As most of the affected franchisees are small business owners who cannot afford such unexpected losses, particularly since they are still recovering from the COVID-19 pandemic, AAHOA said previously. The association said IHG should ensure that the affected franchisees are recouped their losses from the breach and an explanation for what happened.

“IHG owes its franchisees transparency,” said Laura Lee Blake AAHOA President & CEO. “IHG has not been forthcoming in explaining the outage to AAHOA-Member hotel owners, who bore the brunt of revenue losses from bookings missed due to the disruptions. As the world’s largest hotel trade association, we speak for thousands of small business owners who deserve an explanation, as well as being made whole for these preventable losses.”

AAHOA also said its members are concerned about the privacy of guests’ financial and personal data.

“To maintain the trust and confidence of its current and future customers, and that of its franchisee community, IHG must shore up its booking systems to prevent future data security breaches and provide more transparency into what happened and how IHG plans to move forward,” the association said.