Centara Hotels & Resorts data breach
The Desorden Group stole roughly 400GB of guest data spanning 2003-2021 from Thai luxury hotel chain Centara, demanding a $900,000 ransom that the company refused to pay.
- Victim
- Centara Hotels & Resorts (Central Group)
In October 2021, the cybercriminal collective known as the Desorden Group announced that it had breached Centara Hotels & Resorts, one of Thailand's largest luxury hotel operators, and exfiltrated roughly 400GB of guest and corporate data. When Centara refused to pay a ~$900,000 ransom, the attackers began leaking the stolen files.
Who was hit
Centara Hotels & Resorts operates around 70 properties and is owned by Central Group, one of Thailand's largest conglomerates. The breach therefore reached well beyond a single hotel: the attackers claimed to have pulled guest records from all 70 Centara hotels, with data dating from 2003 to 2021, plus advance bookings stretching into December 2021.
What was stolen
According to the attackers, the compromised data included:
- Guest names and booking information
- Phone numbers and email addresses
- Home addresses
- Photos of identity documents, plus claimed passport and national ID numbers
The Desorden Group said the total haul amounted to approximately 400GB of files. They further claimed the intrusion extended into parent Central Group's systems, exposing a further 80GB of customer and business records, including details tied to more than 2,000 restaurants operating in Thailand.
The extortion
The Desorden Group's model was double-extortion without encryption — they did not deploy ransomware to lock systems, but instead stole the data and threatened to publish or sell it unless paid. They demanded a ransom of roughly $900,000.
Centara refused to pay. In response, the attackers published samples and threatened wider release, consistent with their pattern in other regional attacks. The group had previously been linked to intrusions at Acer and the Malaysian servers of ABX Express Enterprise, marking them as a persistent threat to Southeast Asian targets.
Why it matters
The Centara breach stands out as one of the most significant hospitality-sector incidents in Thailand. Hotels are high-value targets because they aggregate exactly the data identity thieves want — names, contact details, home addresses and scanned passports — across millions of guests and many years.
The case also illustrated the rise of exfiltration-only extortion: by skipping encryption, attackers avoid disrupting operations (and the attention that brings) while still holding the victim hostage over reputational and regulatory exposure. Centara's decision not to pay aligned with law-enforcement guidance, but left affected guests exposed to the consequences of publication — a tension at the heart of every modern data-extortion case.
Timeline
The Desorden Group breaches Centara Hotels & Resorts' systems and exfiltrates guest databases.
The breach is publicly reported; Desorden claims roughly 400GB of files from all 70 Centara properties.
Desorden demands a ransom of about $900,000 to prevent publication of the stolen data.
Centara declines to pay, and the attackers begin leaking and threatening to publish the data.
The attackers claim the breach extended to parent Central Group, including data from over 2,000 restaurants.
Sources
- seclists.orghttps://seclists.org/dataloss/2021/q4/70
- bangkokpost.comhttps://www.bangkokpost.com/business/2202723
- databreaches.nethttps://www.databreaches.net/desorden-group-attacks-and-leaks-data-of-centara-hotels-resorts/
- comparitech.comhttps://www.comparitech.com/news/centara-hotels-data-breach/