One of Oregon’s most prominent luxury destinations has been victimized by an unusual cyberattack, with hackers posting employee information and a ledger of guests online in an apparent attempt to compel the hotel to pay a ransom.

“It’s not a new strategy. It’s just the way they are implementing it that is new … by putting it on the public internet in an easily searchable form,” said Brett Callow, a threat analyst for New Zealand cybersecurity firm Emsisoft. “As far as I’m aware this hasn’t been done before.”

Hackers apparently breached The Allison Inn & Spa in Newberg, demanding that the property negotiate to keep employee and guest records confidential. The cybercriminals claim to have information on 1,500 current or former employees and 2,500 reservation records from 2022.

The Allison management could not be reached for comment. The attack has attracted the attention of online researchers and national cybersecurity publications because of the hackers’ unusual approach.

Typically, cybercriminals publish any stolen data on the “dark web,” a portion of the internet that requires special browsers to access and doesn’t typically show up in online searches.

In this case, the hackers published the data on a public website, findable through a simple Google search. The site purports to list dates of guests’ stays, as well as employees’ birthdays, phone numbers and Social Security numbers.


Callow said the attack appears to be a kind of experiment by the hackers as they seek tactics to force their victims to pay ransomware. If it succeeds, he warned the tactic may become commonplace and private information may be more readily available online.

“They’re likely doing this to see how much it moves the needle in their favor,” Callow said. “Their intention may not simply be to try to squeeze the money out of The Allison. It may also be to pressure their future victims who look at what happened to the Allison and think, ‘I don’t want to go through that.’”

Callow attributes the attack to the ALPHV/BlackCat ransomware organization. While several well-known Oregon brands have been hit by cyberattacks in recent months, Callow said there’s no reason to believe hackers targeted The Allison, specifically. Most likely, he said, it was a crime of opportunity.

“More often it’s the case that someone opened a spam email they shouldn’t have opened or a server doesn’t get patched,” Callow said.

Guests at The Allison probably don’t have to be too alarmed, he said. The only data posted for them appears to be the dates of their stay and the amount they were billed.

Employees face somewhat greater risk, because a good deal of their personal information appears to be accessible. Security experts generally advise people facing potential identity theft to contact national credit bureaus to request fraud alerts and credit freezes.

— Mike Rogoway | | Twitter: @rogoway | 503-294-7699