An Attack That Shut Down Thousands of Properties at Once
InterContinental Hotels Group, known worldwide by the acronym IHG, publicly confirmed a cyber incident that compromised its reservation systems and digital applications, leaving thousands of properties around the world without access to critical operational tools for several days. The group behind the attack used stolen credentials to access the company's cloud environments and, after a failed extortion attempt, deliberately destroyed data — an escalation that goes beyond traditional ransomware. The confirmation was reported by BleepingComputer (verified source), one of the leading outlets in cybersecurity.
The impact was immediate and far-reaching: guests were unable to make reservations, franchisees lost access to management platforms, and teams across multiple countries were forced to operate manually in an environment designed to be 100% digital. This type of disruption is not just an IT problem; it is an operational crisis with financial, reputational, and trust losses that compound with every hour of downtime.
The IHG case is not an isolated one. According to IBM's Cost of a Data Breach 2024 report, the global average cost of a data breach reached $4.88 million per incident — the highest figure in the study's history. And attacks that exploit compromised credentials represent the most common entry vector, present in 16% of all incidents analyzed in the same study. The question every IT decision-maker should be asking is not "could this happen to me?", but rather "what would happen to my operations if it happened tomorrow?"
The scale of the IHG attack serves as a mirror for any organization that depends on centralized systems, cloud environments, and partner or franchisee networks. The digital interdependence that makes modern operations efficient is the same force that amplifies the blast radius when a single point of failure is exploited.
Vectors That Attacks Like This Typically Exploit
While the full internal details of the IHG incident are not publicly available, attacks with this profile — using stolen credentials to breach cloud environments and culminating in deliberate data destruction — typically exploit vectors that are well known to the security market. Understanding these vectors is the first step toward ensuring your organization does not follow the same path.
Compromised credentials and lack of multi-factor authentication (MFA). This is, consistently, one of the most exploited vectors in modern attacks. Access credentials are leaked through phishing, purchased on dark web forums, reused across services, or even exposed by employees using personal devices without adequate protection. Once an attacker has a valid username and password, they can move through the environment as if they were a legitimate employee — especially if there is no MFA (Multi-Factor Authentication, which requires a second form of verification beyond the password) to block unauthorized access. In cloud environments, this gap can immediately grant access to critical data, backup systems, and administration panels.
Lack of proactive monitoring and anomalous behavior detection. Sophisticated attacks rarely happen in minutes. Mandiant's M-Trends 2024 report indicates that the average dwell time of an attacker inside a network before being detected is 10 days in environments without continuous monitoring. During that period, the intruder maps the infrastructure, escalates privileges, and identifies the most valuable assets — whether customer data, backups, or critical systems. Without a proactive monitoring system that identifies out-of-pattern behavior — such as a user accessing abnormal volumes of files at 3 a.m. — the alert arrives too late.
Lack of network segmentation and excessive permissions. In environments where all systems communicate freely and users have access beyond what their roles require, a single compromised entry point can become a passport to the entire infrastructure. Network segmentation — which divides the environment into isolated zones with controlled communication — limits the attacker's lateral movement. Without it, what could have been a contained incident within a single system becomes the shutdown of an entire operation.
How to Protect Your Infrastructure: A Layered Approach
Implement EDR and multi-factor authentication as a non-negotiable foundation. EDR (Endpoint Detection and Response) is a technology that monitors the behavior of every device on the network in real time, identifying suspicious patterns before damage is done. Combined with MFA on all access points — especially in cloud environments and administrative tools — this dual layer drastically reduces the attack surface available to anyone who obtains stolen credentials. According to Microsoft, MFA blocks more than 99.9% of automated account compromise attacks.
Ensure backups are isolated, encrypted, and regularly tested. The IHG case brought to light a reality that many organizations overlook: backups accessible within the same compromised environment are useless in an attack that destroys data. Truly secure backups must be isolated from the main network, encrypted end-to-end, and — crucially — tested on a regular basis. Testing a backup means simulating a full restoration and measuring the actual recovery time. An untested backup is a promise without a guarantee. The 3-2-1-1 strategy (three copies, on two different media, one off-site, one offline) is the current benchmark for data resilience.
Adopt continuous 24/7 monitoring with active patch management. Attacks do not respect business hours. A SOC (Security Operations Center) that monitors your infrastructure around the clock can identify and respond to anomalies in minutes, not hours or days. Paired with continuous patch management — which keeps operating systems, applications, and firmware always up to date — it closes the vulnerability windows exploited by attackers who automatically scan the internet for outdated systems. Organizations with active patch management reduce the risk of known vulnerability exploitation by up to 60%, according to data from the SANS Institute.
Questions Every Decision-Maker Should Be Asking Right Now
1. Would my backups actually work in a disaster like this? How quickly could my operations be back online?
2. Does my team have the right tools to identify and stop an attack like this immediately, before it causes the full extent of the damage? How am I investing in the preparation of my technical team?
3. How long could my company survive without access to its systems and files?
Would my backups actually work in a disaster like this? How quickly could my operations be back online?
Most organizations have some form of backup configured. The problem is that very few have ever simulated a full restoration under real pressure. A backup without documented testing is, in practice, a gamble. In a managed IT environment, backups are configured with isolation from the production environment, end-to-end encryption, and mandatory periodic test windows that generate auditable reports. RTO (Recovery Time Objective, or the maximum tolerated time to restore operations) and RPO (Recovery Point Objective, or the maximum amount of data that can be lost) cease to be estimates and become measurable, guaranteed targets.
If your answer to "how quickly can I be back online?" is "I'm not entirely sure," that is the most urgent risk to address. Every hour of downtime has a quantifiable cost in lost revenue, contractual penalties, and erosion of customer trust.
Does my team have the right tools to identify and stop an attack like this immediately?
Having a dedicated IT team is not the same as having a team prepared to respond to security incidents in real time. Early detection depends on EDR tools active across all endpoints, integrated with a 24/7 monitoring system that correlates events from different sources — such as access logs, network behavior, and application alerts. Without this centralized visibility, an attacker can remain active within the environment for days without being detected.
Team preparedness goes beyond tools. Ongoing security awareness training, phishing simulations, and incident response exercises turn employees into an active line of defense. According to the Verizon DBIR 2024 report, 68% of data breaches involve the human element — whether through error, social engineering, or credential abuse. Investing in the human factor is just as strategic as investing in technology.
How long could my company survive without access to its systems and files?
This is the most honest question a decision-maker can ask. For most modern companies, the real answer is: fewer than 48 hours before severe and irreversible impacts set in. A documented and tested incident response plan — with defined roles, clear decision trees, and pre-established escalation contacts — is what determines whether a crisis becomes a footnote or a headline. Organizations with an active plan reduce the cost of a breach by an average of $1.49 million, according to IBM.
Managed IT provides not only the technology, but the process structure: response playbooks, crisis simulations, recovery SLAs, and a partner that acts immediately when an alert is triggered — regardless of the time of day.
If your company does not yet have an integrated, layered protection strategy, consider scheduling a Strategic IT Assessment, with no commitment required, to identify vulnerabilities before they become headlines.