Cyberattacks That Devastated Hospitality from 2023 to 2025

The hospitality industry has long been a favorite target of cybercriminals.

Attacks in the industry are near-universally financially motivated, with the majority aiming to steal information that can either be sold or used to make a profit. Credit card information is a primary target, but cybercriminals also aim to steal sensitive guest information to commit fraud and use it as leverage for ransom demands.

According to the 2025 Verizon Data Breach Investigations Report, cybercriminals targeting the hospitality sector most often rely on system intrusions, social engineering, and basic web application attacks. Ransomware remains a major concern, featuring in 44% of breaches, while third-party involvement has climbed sharply, underscoring the risks of depending on outside vendors such as reservation platforms, payment processors, and other service providers.

This article discusses why cyberattacks in the hospitality industry have become so common and looks at three recent examples of serious breaches of hotels and online reservation systems.

Why are Cyberattacks a Concern in Hospitality?

Businesses in hospitality, including hotels and casinos, rely on a broad range of connected technologies to provide a seamless guest experience. From check-in kiosks and digital keycards to automated lights, temperature sensors, and minibars, Internet of Things (IoT) technology is essential to operations.

However, historically, the hospitality industry was slow to adapt to the realities of modern cybercrime. Many hospitality organizations took a long time to recognize the importance of a robust cybersecurity program—and, as a consequence, became enticing targets for cybercriminals.

The average cost of a hospitality data breach has climbed to $4.03 million in 2025. This sharp financial impact is compounded by persistent security gaps. According to 2024 projections, by 2025, 60% of hotel cyberattacks will stem from vulnerabilities in connected devices such as point-of-sale (POS) terminals and IoT equipment, which are often overlooked in routine security measures.

Recent Hospitality Cyberattacks to Know

1. Omni Hotels & Resorts Suffer Prolonged Outage

On March 29, 2024, Texas-based Omni Hotels & Resorts suffered a major cyberattack that forced multiple IT systems offline. The incident disrupted reservations, payment processing, and digital room key access at many of its locations, creating operational headaches for staff and guests alike.

In a statement, Omni confirmed that the attack had impacted multiple systems but emphasized that it remained open. Regardless, its ability to process online reservations was impacted, with its website displaying a message that said, “Dear valued guest, we are currently experiencing technical difficulties, please try back at a later time.” Guests of Omni hotels reported that check-ins were being done on paper, room keys were not working, and they were unable to pay with credit cards.

While Omni refrained from sharing details about the attack publicly, the scale and disruption of the attack led multiple analysts to speculate that ransomware was involved.

2. MGM Resorts Hack Costs Over $100 Million

In mid-2023, MGM Resorts International reported a massive cyberattack that resulted in over $100 million in costs and the theft of an unspecified amount of personal guest information.

Security researchers have attributed the hack to a social engineering attack carried out by Scattered Spider, a threat group working with AlphV/BlackCat. It began with a Vishing call to the company’s helpdesk, where an attacker impersonated an employee. The attacker was able to convince a helpdesk employee to help them gain access to “their” account—the account of a super administrator with advanced privileges across MGM’s systems.

MGM attempted to cut the attack short when they noticed the attackers were “lurking around their Okta Agent servers, sniffing passwords” but it was too late. The attackers were able to encrypt some of the company’s data—“more than 100 ESXi hypervisors,” according to the attacker, though this may be exaggerated. MGM was served with a ransom demand in exchange for the decryption key.

In a statement, the company’s CEO stated:

“…criminal actors obtained certain personal information belonging to some customers who transacted with us prior to March 2019. This includes name, contact information, gender, date of birth, and driver’s license number. […] We also believe a more limited number of Social Security numbers and passport numbers were obtained.“

In addition to the stolen data, guests were unable to use digital room keys, payment systems were non-functional, and hotel restaurants could only accept cash. MGM Resorts stated hotel occupancy fell to 88% during September (compared to 93% the previous year) largely as a result of the attack disrupting the company’s website and mobile applications used for reservations.

In response to the attack, MGM notified law enforcement and brought in a specialist IT security firm to support its investigation and recovery. It’s believed the company received a ransom demand but refused to engage with its attackers.

The company claimed the attack would impact its third-quarter financial results by around $100 million, including $10 million in costs for technology consultants, legal fees, and other third-party advisors. Note that these figures don’t include the cost of any legal proceedings by affected individuals, which could be considerable.

3. Motel One Hacked, Credit Card Data Stolen

Motel One, a budget hotel chain operating in Europe and the U.S., was hacked in late 2023 by the cybercrime group AlphV/BlackCat.

The group infiltrated Motel One’s network, intending to launch a ransomware attack. The company claims the attack had “limited success” thanks to its effective security posture. However, the attack resulted in downtime for the company and the theft of an unspecified amount of customer data, such as postal addresses, e-mail addresses, and telephone numbers. The attackers also accessed data linked to 169 customer credit cards and their corresponding addresses.

In a statement on its website, the AlphV/BlackCat cybercrime group stated the breach was significantly worse than Motel One let on, claiming to have stolen over 24 million files. The alleged six terabytes of data supposedly included:

“PDF & RTF booking confirmations for the past 3 years containing names, addresses, dates of reservation, payment method, and contact information. Additionally, there is a significant amount of your customers’ credit card data and internal company documents, which undoubtedly hold sensitive information.”

The group issued a ransom demand to Motel One, threatening to publish the stolen data online if the company didn’t pay. It’s unclear whether Motel One engaged with the group or paid the ransom, however, in a statement, the company claimed:

“The hacker group had published the stolen data on the Dark Net. However, as far as we are currently aware, the corresponding page on the Dark Net has since been removed.”

The company’s primary strategy appears to have been to downplay the incident—however, the fact remains that a considerable amount of personal data was stolen, and there is no doubt the incident will have been costly and embarrassing for Motel One.

4. Caesars Entertainment Pays $15 Million Ransom

In September 2023, Caesars Entertainment confirmed a major breach in which attackers stole the company’s loyalty program database—the largest of its kind in the industry. The database contains highly personal information, including driver’s license details and social security numbers for “a significant number” of customers.

According to some reports, the attack was conducted by the threat group Scattered Spider. The attackers initially compromised a third-party IT vendor using social engineering techniques, before using the vendor’s privileged access to acquire Caesars’ loyalty program database.

Once it had stolen the database, the group initially demanded a $30 million ransom, threatening to publish the stolen database online if it wasn’t paid. Ultimately, Caesars agreed to pay a $15 million ransom to avoid the publication of the stolen data.

In accordance with new SEC rules, Caesars Entertainment filed an 8-K report within days of the attack. The report states: “We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result. We are monitoring the web and have not seen any evidence that the data has been further shared, published, or otherwise misused.”

In an attempt to mitigate potential harm to affected customers, Caesars also offered credit monitoring and identity theft protection services to all members of its customer loyalty program.

Beyond the $15 million ransom payment, this incident has had a significant financial impact for Caesars Entertainment. At the time of its 8-K filing, the company stated:

“We have incurred, and may continue to incur, certain expenses related to this attack, including expenses to respond to, remediate and investigate this matter. The full scope of the costs and related impacts of this incident […] has not been determined.”

Protect Your Hospitality Organization from IoT Threats

Securing a hospitality organization is far from straightforward. So, while the attacks described here are concerning, they’re hardly surprising.

Many cyberattacks against hotels, restaurants, and other hospitality organizations go unreported. Most likely, the frequency and severity of attacks in the industry are higher than the figures suggest.

So, what can you do?

One of the major causes of cybersecurity risk in hospitality is the high prevalence of connected devices—everything from online booking systems and digital keycards to automated lights, temperature sensors, minibars, and more.

Securing network access and managing vulnerabilities across such a diverse network environment is tough. But that’s where we come in. Asimily’s platform streamlines IoT security, making it easy to lock down traffic, monitor traffic sources, and identify unusual connections. 

Hospitality organizations can use Asimily’s Risk Simulation to assess mitigation options for individual vulnerabilities and devices before implementing fixes. This can help you prioritize your efforts, identify high-risk devices, and avoid wasted effort.

Asimily understands your unique environment and provides real-time, actionable remediation steps to reduce risk and save time—making our customers 10X more efficient at resolving IoT security risk.

To find out how Asimily can help minimize the risk of connected devices at your organization, download our white paper: IoT Device Security in 2024: The High Cost of Doing Nothing whitepaper. To get started immediately, contact us today.