Corporate Travel Giant CWT Paid $4.5 Million in Ransom to Cyber Hackers: Reports

It used to be hotel groups and airlines were the key targets of cyber attacks in travel. Now one of the biggest corporate travel agencies has reportedly paid out millions of dollars in bitcoin to hackers who held it ransom after a “cyber-incident.”

With the intrigue of a Hollywood thriller, CWT paid out $4.5 million to hackers, according to a record of the ransom negotiations seen by Reuters, after they stole sensitive corporate files and said they had knocked 30,000 computers offline.

The attackers reportedly used a strain of ransomware called Ragnar Locker, which encrypts computer files and renders them unusable until the victim pays for access to be restored, Reuters said.

On July 30, social media accounts highlighted the payments, mentioning CWT and stating “someone transferred 414 Bitcoin ($4.5 million). According to sources in the thread ‘30,000 systems were infected and locked’.”

Join Us For Our Skift Global Forum Online Conference September 21-23

Skift contacted CWT regarding the alleged bitcoin ransom payment claim. A spokesperson for the agency told Skift: “CWT experienced a cyber-incident at the weekend. We can confirm that after temporarily shutting down our systems as a precautionary measure, our systems are back online and the incident has now ceased.

“We immediately launched an investigation and engaged external forensic experts. While the investigation is at an early stage, we have no indication that personal identifiable information/customer and traveller information has been compromised. The security and integrity of our customers’ information is our top priority.”

Reuters added that hackers claimed to have stolen two terabytes of files, including financial reports, security documents and employees’ personal data such as email addresses and salary information.

One blockchain specialist told Skift cyber attacks were becoming a cost of doing business, and that CWT would likely have been insured against such attacks.

“In large organizations, it’s always complicated to make sure that nobody with enough security access clicks on that unusual file that lands in their mailbox, while balancing the ability for people to have enough freedom of movement to do their work efficiently,” he said.

“There is growing evidence that often these attacks benefit from some internal support/knowledge, so this makes it also very difficult to police for the IT department even if they are very vigilant. Once there is a breach, then how the ransom is paid makes very little difference in my opinion. Bitcoin in itself is actually not particularly anonymous, just more convenient that dropping a bag of cash in a bin on the motorway.”

Various hotel groups have suffered data breaches in the past, but historically don’t become aware of the attack until months later.

In 2019, Marriott revealed some 383 million records were affected by a breach in 2018, and that since 2014 hackers were accessing data of Starwood’s guest reservation systems.

In 2017, Hilton had to pay $700,000 to New York and Vermont to resolve two data breaches that resulted in more than 363,000 credit card numbers being compromised.

And in May this year, EasyJet said information from nine million customers was exposed in a cyber attack.