The parent company of a Santa Fe luxury hotel announced late on Tuesday that an incident last month resulted in the removal of certain data from its computer systems.
La Fonda Holdings LLC, which was established when the popular La Fonda on the Plaza hotel changed ownership, said in a news release that an investigation has shown that it "has received no indication that customer data was included."
"However, this is a recent incident, and the situation is subject to change," the news release said.
A message about the incident attributed to hotel Vice President and General Manager Rik Blyth said that the company reported the incident to federal law enforcement and are notifying state regulators as well as major credit reporting agencies. The message also contains a link to a FAQ.
The disclosure about the cybersecurity incident came about three hours after Albuquerque Business First contacted Blyth and the hotel's director of marketing about a claim made by users of a particular kind of ransomware. Those users stated they had data from “lafondasantafe.com.” That URL matches the website for La Fonda on the Plaza.
The claim, made by users of LockBit 3.0, shows it was posted sometime on or around Tuesday. It gives a deadline of Sept. 18 before the site will publish the available data. The claim contains screenshots of what appear to be file directories containing financial reports and other documents. One screenshot shows a directory containing more than 95,000 files. Another shows an image of a passport issued in the name of a La Fonda Holdings LLC executive.
The company said in the news release that it learned of the unauthorized third-party access to computer systems on Aug. 18. The access disrupted certain servers and computers, the news release said. The hotel retained outside information technology personnel and forensic experts to investigate the incident and restore "secure operations."
"Within two days, primary computer systems and data were restored using available backups, and normal business operations resumed," the news release said.
The company has retained what it calls data security legal specialists to investigate and recommend actions to take, and implemented a number of digital security protocols including a global password reset, among other steps.
The ransomware claim was posted on the LockBit 3.0 site, which is accessible through Tor hidden services. Tor hidden services are essentially websites that can only be accessed using specific web browsers. Ransomware gangs and other malicious actors post their actions to these sites.
In the cybersecurity world, LockBit 3.0 is the latest version of a particular flavor of ransomware. It succeeds LockBit 2.0, which was the subject of an FBI alert in early February that detailed various “indicators of compromise” — evidence or markers — associated with this particular flavor of ransomware.
“The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with the threat actors, Bitcoin wallet information, the decryptor file and/or a benign sample of an encrypted file,” the FBI alert stated.
The LockBit flavors are billed as “Ransomware-as-a-Service.” Essentially, it’s developed by a group that offers to would-be “affiliates” — hackers and malicious actors — who use the ransomware and boast of their exploits in the same way a software provider would highlight its clients.
Last week, Business First was the first to report that users of LockBit 3.0 claimed to have nearly 250 gigabytes of data from Goodwill Industries of New Mexico. And earlier this year, First Financial Credit Union in March began an investigation and notified its members that users of an earlier version of the LockBit ransomware claimed to have accessed data from the financial institution.
