US Hotels Giant Targeted in Major Cyberattack as NightSpire Releases Internal Data on Dark Web

At least one of the world’s leading hotel companies was possibly affected by a major cybersecurity breach recently when NightSpire, a ransomware group, stated that an attack had occurred at Hyatt Hotels Corporation. The group claims to have stolen over 48.5GB of critical company internal documents.

In an unprecedented act, the hackers are allowing users to download the stolen information, which includes payroll and accounting information, for free on the dark web.

A Closer Look at the Alleged Stolen Data

The criminal syndicates listed on its dark web page, samples from the 48.5 GB of data, which it seemed to have obtained from the Hyatt Place Chelsea Hotel in New York. The information they extracted is much more than simply raw customer records. The information will include sensitive internal company documentation that could create a chain reaction of security issues. Here’s what’s in the records:

• Internal documents relating to finance, such as invoices and detailed expense reports. The full name of the employee associated with these expenses is present on each invoice.
• Credentials to Hyatt’s internal systems: These credentials provide access to Hyatt’s internal Content Management System (CMS), which allows attackers to potentially gain initial access into Hyatt’s overall digital environment.
• Personal and company information: Employee contact information, employee Email Signatures, and information from Partner Companies.

This combination poses a considerable amount of risk to Hyatt. If attackers have breached employee credentials, the risk to Hyatt extends beyond financial fraud. The hackers have the capability to utilize this data to create an ongoing relationship with the organization in a hidden manner.

The Ransomware Tactic: From Pressure to Punishment

The gang’s action of releasing files for free to download from the internet is indicative of the ransomware playbook. Typically, when a ransomware actor has negotiated unsuccessfully with the victim, they will switch from a monetary gain to a “punishing” way of attacking the victim.

The gang posted the bulk data dump on the dark web to damage the victim’s reputation and operations and to warn future targets in an effort to maximize harm. This tactic reflects a classic double-extortion scheme, in which attackers both encrypt the victim’s data and threaten to release it during the attack.

In the current case, the group placed samples of Hyatt’s allegedly exfiltrated files on the dark web and also provided a link that allows others to contact them for free downloads of all samples.

A Brief Background of the Cybercriminals 

NightSpire has developed into a financially motivated ransomware-as-a-Service (RaaS) threat group since it came up in early 2025. The gang has evolved into a Double Extortion hacker with a focus on extorting money from Small and Medium-Sized Enterprises (SMEs) that provide critical infrastructure within the United States and 33 countries around the globe. Currently, it has publicly posted approximately 105 victims on a popular dark web forum.

• Primary victim: Most affected victims are located in the United States.
• Reason for action: Specialists at SOCRadar agree that NightSpire acts solely for financial gain. The attacks have shown to be non-geographically based and do not support any form of political agenda.
• Method: Delivery of Double Extortion ransomware.

In June 2025, the NightSpire Cybercrime Group hacked Al Tadawi Hospital in Dubai, stealing sensitive health information (1.5TB of confidential records) and financial information. The cybercrime group also attacked Vascara in Vietnam in November 2025, utilizing ransomware to disrupt their business activities.

While financially-motivated groups like NightSpire target corporations and critical infrastructure, other hackers pursue high-profile symbolic targets, as seen in the case where a hacker pled guilty to breaching the security of the U.S. Supreme Court in a major cyberattack.

As the cybercriminal organization NightSpire continues to grow in numbers, it is further evolving its tactics and operational methods, thereby presenting itself as an ever-increasingly serious security risk.

Hyatt’s History and What’s at Stake

Hyatt is a global hospitality corporation with headquarters based in Chicago, and it owns and operates nearly 1,500 hotels globally spanning over 80 countries via well-known brands (Park Hyatt, Grand Hyatt & Andaz) with reported revenue of $6.9B in 2025.

It has previously suffered a data breach when a third-party recruitment agency that worked with it (Foh&Boh) accidentally released millions of applicants’ resumes online in early 2025.

Hyatt has not yet provided a public update on the incident, and the corporation has yet to reveal the potential impact of the alleged attack. However, the impact is likely to be far greater than Hyatt’s previous data breach.

If someone is worried about their data, they should take the following steps:

• Be extra cautious with any emails that seem very specific to their account; these could include things related to travel or Hyatt.
• Monitor financial accounts for any unusual activity.
• If you are a Hyatt employee, follow any internal security guidance from the company immediately.