Cl0p ransomware gang claims cyberattack on Hilton, alleged breach unconfirmed

The Cl0p ransomware gang has claimed responsibility for a cyberattack targeting Hilton, one of the world’s largest hotel operators, alleging the company is its latest victim. The claim appeared on the group’s dark web leak site on Jan. 25, where hilton.com was listed as a newly compromised organization.

The group has not released evidence to substantiate the claim, such as samples of allegedly stolen data, nor has it disclosed what types of information may have been accessed. The post included inflammatory language accusing the company of neglecting customer security, a tactic commonly used by ransomware groups to increase pressure on victims and accelerate ransom negotiations.

Such claims typically follow a pattern in which attackers later release limited data samples if a victim does not respond. When negotiations fail, stolen information may be published or sold on underground markets, exposing organizations to operational disruption and reputational damage.

Hilton operates more than 600 properties across 94 countries and territories under 26 hotel brands. Its customer loyalty program has approximately 195 million members, representing a large repository of personal and travel-related data. At this stage, however, there is no confirmation that any Hilton systems were compromised.

The company has not issued a public statement addressing Cl0p’s claim. Without corroborating data or acknowledgment from Hilton, the alleged breach remains unverified.

Hilton reported $11.7 billion in revenue last year, a scale that aligns with the profile often targeted by ransomware operators. Industry research from Palo Alto Networks indicates that initial ransom demands commonly range from 0.05% to 5% of a victim’s perceived annual revenue.

The hospitality sector has seen repeated ransomware activity. In a separate recent incident, Hyatt was allegedly targeted by the NightSpire ransomware gang, which claimed to have exfiltrated 48.5 gigabytes of documents linked to the Hyatt Place Chelsea New York hotel and made the data publicly accessible.

Cl0p, a ransomware gang linked to Russia, has been associated with several large-scale attacks affecting thousands of organizations worldwide. Past campaigns targeted file transfer platforms including MOVEit, Fortra GoAnywhere, and Cleo, leading to widespread downstream data exposure. More recently, Barts Health NHS Trust confirmed that files containing invoice data related to patients, staff, and suppliers were stolen in a Cl0p-linked incident. The group has also claimed to possess data belonging to Mazda, Mazda USA, and Canon.

Despite a major law enforcement crackdown on its operations in 2021, Cl0p has continued to reemerge. The group is known for posting public notices on its dark web site rather than directly contacting victims, prompting organizations to initiate negotiations themselves. Cl0p operates under a ransomware-as-a-service model and employs double extortion tactics, combining data theft with encryption and the threat of public disclosure if ransom demands are not met.