Hyatt Hotels Hit by NightSpire Ransomware Attack: 48.5GB of Data Allegedly Stolen
A newly emerged ransomware group, NightSpire, has claimed responsibility for a cyberattack on Hyatt Hotels Corporation, posting stolen data on the dark web after failed negotiations. The breach, disclosed on January 19, 2025, involves 48.5GB of sensitive information allegedly exfiltrated from the Hyatt Place Chelsea in New York, though the full scope remains unconfirmed by Hyatt.
NightSpire, first identified in March 2025, employs a double-extortion tactic, encrypting victims’ data and threatening to leak it unless a ransom is paid. The group has listed 105 victims on its leak site, with the U.S. as its top target, followed by Taiwan, Hong Kong, Egypt, and several European nations. Unlike geopolitically motivated attacks, NightSpire appears financially driven, though it remains unclear whether it operates as a Ransomware-as-a-Service (RaaS) group or an independent collective.
The leaked data includes internal documents, employee credentials, and financial records, raising concerns about lateral movement within Hyatt’s network and social engineering risks. Cybernews researchers confirmed the authenticity of samples, which feature screenshots of expense reports, employee names, and potential access to Hyatt’s internal CMS. If verified, this would mark the second major Hyatt data leak in 2025, following an earlier breach involving a U.S. hiring platform that exposed millions of resumes, including Hyatt employee data.
Hyatt, a Chicago-based hospitality giant with 1,450+ properties across 80 countries and $6.9 billion in 2025 revenue, has not yet responded to requests for confirmation. The company’s portfolio spans luxury and mass-market brands, including Park Hyatt, Grand Hyatt, and Hyatt Regency.
NightSpire’s post on the dark web includes a public download link, a tactic used to pressure victims into paying ransoms. The group’s rapid rise listing over 100 victims in under a year signals a growing threat in the ransomware landscape.
Source: https://cybernews.com/security/hyatt-ransomware-nightspire-darkweb-leak/
Hyatt cybersecurity rating report: https://www.rankiteo.com/company/hyatt
"id": "HYA1768842036",
"linkid": "hyatt",
"type": "Ransomware",
"date": "1/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Hospitality',
'location': 'Chicago, USA',
'name': 'Hyatt Hotels Corporation',
'size': '1,450+ properties across 80 countries, $6.9 '
'billion in 2025 revenue',
'type': 'Corporation'}],
'data_breach': {'data_encryption': 'Yes (ransomware encryption)',
'data_exfiltration': 'Yes (48.5GB of data allegedly stolen)',
'personally_identifiable_information': 'Yes (employee names, '
'credentials)',
'sensitivity_of_data': 'High (personally identifiable '
'information, financial data)',
'type_of_data_compromised': ['Internal documents',
'Employee credentials',
'Financial records']},
'date_detected': '2025-01-19',
'date_publicly_disclosed': '2025-01-19',
'description': 'A newly emerged ransomware group, NightSpire, has claimed '
'responsibility for a cyberattack on Hyatt Hotels Corporation, '
'posting stolen data on the dark web after failed '
'negotiations. The breach involves 48.5GB of sensitive '
'information allegedly exfiltrated from the Hyatt Place '
'Chelsea in New York, though the full scope remains '
'unconfirmed by Hyatt.',
'impact': {'brand_reputation_impact': 'Potential brand reputation damage',
'data_compromised': '48.5GB of sensitive information',
'identity_theft_risk': 'High (employee credentials and personal '
'data exposed)',
'systems_affected': 'Hyatt Place Chelsea in New York (potential '
'lateral movement within Hyatt’s network)'},
'investigation_status': 'Ongoing',
'motivation': 'Financial gain',
'ransomware': {'data_encryption': 'Yes',
'data_exfiltration': 'Yes (double-extortion tactic)',
'ransomware_strain': 'NightSpire'},
'references': [{'source': 'Cybernews'}],
'threat_actor': 'NightSpire',
'title': 'Hyatt Hotels Hit by NightSpire Ransomware Attack: 48.5GB of Data '
'Allegedly Stolen',
'type': 'Ransomware'}