US hotel giant Hyatt allegedly attacked as stolen data appears online

Published: 19 January 2026
hayatt hotel chain allegedly hit by ransomware attack
Image by Cybernews

A ransomware gang claims it broke into Hyatt’s global hotel empire, saying it stole internal logins and financial data that could be downloaded for free.

The US’s Hyatt empire may have succumbed to a cyberattack. A ransomware gang, code-named NightSpire, posted on the Dark Web, claiming it had attacked the international corporation.

In the post, which went public on January 19th, attackers claim to have exfiltrated 48.5GB of sensitive data originating from the Hyatt Place Chelsea New York hotel.

ADVERTISEMENT

Posting a victim on the dark web is a common tactic ransomware gangs use to pressure companies into paying ransoms. Apart from data samples, NightSpire has also dropped a link stating: “Contact for free download of this data.”

This might indicate that the negotiations fell apart, leaving no agreement on the table. In such a scenario, attackers often sell or drop an entire stolen dataset online for anyone to download, causing victims reputational damage.

Hyatt ransomware attack stolen data
Allegedly stolen data shared by the NightSpire ransomware gang. Screenshot by Cybernews

What data was allegedly stolen from Hyatt?

The Cybernews research team has examined the data samples, which appear to be internal company documents. The data includes screenshots of:

  • Invoices
  • Expense reports with full employee names
  • Contact information
  • Signatures
  • Partner company data

The list of allegedly stolen files suggests that the documents may include employee credentials to their internal CMS. This might be extremely dangerous as it can increase the risk of an internal system breach.

“Exposed contact details and email signatures may not look dangerous on their own, but they give attackers exactly what they need to run convincing social engineering and fraud campaigns,” our research team said.

ADVERTISEMENT
Hyatt ransomware attack stolen data
Allegedly stolen data shared by the NightSpire ransomware gang. Screenshot by Cybernews

“If employee credentials prove to be compromised, the risk goes beyond scams. Stolen logins can be exploited to access internal tools, read sensitive communications, or move laterally across Hyatt’s network.”

According to our team, in the worst cases, attackers can quietly establish long-term access inside the organization.

Cybernews has reached out to the company’s representatives to verify the claims. A response and confirmation regarding the scope of the alleged attack are yet to be received.

If the claims prove to be legitimate, it would not be the first time that Hyatt workers' data has been leaked. At the beginning of 2025, Cybernews research uncovered that a US-focused hiring and onboarding platform, Foh&Boh, accidentally exposed millions of candidates’ CVs and resumes, including Hyatt Grand data.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

Hyatt manages nearly 1500 hotels worldwide

Hyatt Hotels Corporation is a Chicago-based hospitality heavyweight pulling in $6.9 billion in revenue in 2025.

The company now operates more than 1,450 hotels and all-inclusive resorts spread across 80 countries in North America, South America, Europe, Asia, Africa, and Australia.

Hyatt ransomware attack stolen data
Allegedly stolen data shared by the NightSpire ransomware gang. Screenshot by Cybernews
ADVERTISEMENT

The corporation manages more than 30 brands across luxury, lifestyle, and mass-market stays, including well-known names such as Park Hyatt, Grand Hyatt, Hyatt Regency, Andaz, Secrets, and Dreams.

Just yesterday, Barclays and Morgan Stanley both named Hyatt as their most favored lodging stock.

Ransomware gang targets the US the most

The Nightspire gang is new to the ransomware landscape. It was first spotted by Cybernews’s in-house ransomware monitoring tool in March 2025. Since then, the gang has listed 105 victims on its leak site.

According to SOCRadar, NightSpire is a financially motivated ransomware group that targets companies across multiple sectors and countries. The United States tops the list of victims, with Taiwan, Hong Kong, Egypt, and several European nations close behind. The geographical spread suggests a non-geopolitical motive.

What NightSpire ransomware attack
The most targeted industries by NightSpire. Source: SOCRadar

As its common attack tactic, the gang uses a double-extortion strategy. It means they encrypt victims’ data and threaten to publish it on the Dark Web if ransoms are not paid.

S-RM security firm reported that the gang posted on a hacker forum on 14th March 2025, and that they are looking for ransomware affiliates.

However, it is still unclear whether NightSpire operates as a ransomware-as-a-service (RaaS) or as a closed organization running its own attacks.

A RaaS cybercrime business model is based around affiliate hackers, who use or rent other gangs’ infrastructure and share profits with the core group.

What countries NightSpire ransomware attack
The most targeted countries by NightSpire. Source: SOCRadar

Unlock more exclusive Cybernews content on YouTube.

ADVERTISEMENT
Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked