Ransomware Hit Our Booking System: A Hotel Incident-Response Plan

Let me set the scene, because this is the version of the story nobody puts in a case study.

It is a Friday in peak season. Your front desk manager calls and says the property management system is showing a full-screen note demanding payment in crypto, and every file has a weird new extension. The booking engine on your website is throwing errors. Card terminals are acting strange. You have 140 rooms to turn over by 3pm and a wedding block checking in tomorrow.

I work on the search and AI-visibility side of hotels for a living, not incident response. But I have sat next to enough independent operators during the worst week of their year to know that the recovery is half technical and half reputational, and the reputational half is where I live. So this is the plan I wish every boutique hotelier had taped inside a drawer before it happened. It is not legal advice, and your cyber-insurance carrier may dictate a different order of operations. But it is a real, concrete sequence, and it will keep you from making the three mistakes that turn a bad week into a closed business.

First 60 minutes: contain, do not clean

The instinct when you see ransomware is to start deleting things and rebooting machines. Fight that instinct. The single most valuable thing you own in the first hour is evidence, and panicked clicking destroys it.

Here is the containment order I have watched work:

1. Isolate, do not power off. Pull the network cable or kill Wi-Fi on the infected machines. Disconnecting stops the spread. But leave the machines running if you can, because forensics teams sometimes pull decryption material or attacker fingerprints out of live memory. A hard shutdown can erase that.
2. Segment the rest. If your PMS server, your back-office PCs, and your guest Wi-Fi all share one flat network, assume everything is exposed. Disconnect the property from the internet at the router level until someone qualified says otherwise. Yes, that takes your booking engine offline too. We will deal with that in a minute.
3. Stop the bleeding on payments. Call your payment processor and your acquiring bank. If card data may have been touched, they need to know now, and they can flag the merchant account before fraud piles on.
4. Start a written timeline. Open a paper notebook. Write down the time you noticed, what you saw, who you called, and what you changed. This log matters for insurance, for the breach investigation, and later for what you tell guests.

Hour 1 to 4: call the people who do this for a living

You are a hotelier, not a forensic analyst. The fastest path to recovery is admitting that out loud.

• Cyber-insurance hotline first. If you carry a cyber policy, the carrier almost always has a 24/7 incident line, and using their approved vendors is usually a condition of coverage. Call them before you hire anyone yourself, or you can blow the claim.
• Incident-response firm. The carrier will often assign one. They will image the machines, find patient zero, and tell you whether data left the building.
• A breach lawyer. Notification obligations are legal questions with real deadlines. You want privilege over the investigation and someone who knows your state’s rules.
• Law enforcement. In the US, the FBI takes ransomware reports, and a report number helps with insurance and sometimes with sanctions questions if a ransom is ever discussed.

On the ransom itself: do not freelance it. Whether to pay is a decision for counsel, the IR firm, and law enforcement together. Paying can run afoul of sanctions law, the key you get back may not even work, and a payment marks your property as a soft target for the next crew. The real escape hatch is a clean, tested backup, which is why I am about to nag you about backups.

Days 1 to 3: the guest-data breach question

This is the part that quietly decides whether your reputation survives. A hotel PMS is a goldmine: names, addresses, phone numbers, loyalty data, sometimes passport or ID scans, sometimes stored card tokens. If any of that was accessed or copied, you likely have a notification obligation.

I am not your lawyer, so treat this as a map, not the territory:

• Almost every US state has a breach-notification statute covering personal information. If guests’ names plus a sensitive identifier were exposed, you generally must notify affected individuals, sometimes the state attorney general, and sometimes credit agencies.
• Timelines vary. Some states say “without unreasonable delay,” some attach hard day counts. International guests can trigger rules like the UK or EU regimes, which are stricter and faster.
• Card data has its own track. Your acquirer and the card networks have their own breach process, separate from state law.

The temptation is to stay quiet and hope. Do not. The breach itself is survivable. Getting caught hiding it is the thing that ends up in the local paper and, worse for me, in the AI answers people get when they search your hotel’s name. Once a “data breach cover-up” story exists, it becomes part of what large language models say about you, and that is brutally hard to un-say. I wrote more about how AI tools form an opinion of your property in is your hotel invisible to ChatGPT, and the same mechanics work against you in a crisis.

When you do notify, write like a human. A plain, specific letter that says what happened, what data was involved, what you are doing, and what the guest should do beats corporate fog every time. That same honest tone is what protects you in reviews and in content and reputation work afterward.

Days 1 to 7: keep taking bookings while the engine is dark

Here is where my world and the IR world collide. While the forensics team rebuilds your PMS from clean images, your revenue cannot just stop. You need a manual booking lifeboat.

A few hard-won notes on that table. Use a device that was never on the infected network, ideally on a mobile hotspot. Do not log back into anything until the IR firm clears it. And if your channel manager or OTA extranet is on separate infrastructure and uncompromised, lean on it, because right now a booking through any channel beats an empty room. This is the one week I will tell an independent to gratefully accept the OTAs doing what they do. The goal long term is a healthier mix and more direct bookings, which is the whole point of book-direct CRO, but a crisis is not the moment to be precious about it.

The hotels that recover their reputation fastest are the ones that kept answering the phone with a calm human voice while their systems were on fire. Guests forgive an outage. They do not forgive being ghosted on a reservation they already paid for.

If your main domain’s booking flow is down, stand up a one-page site on separate hosting with your phone number, a basic inquiry form, and a short honest note. Keep your Google Business Profile current with a post and correct phone number, because that is where stranded guests will look first. We keep a playbook for exactly that surface in the Google Business Profile guide for hotels.

Weeks 2 to 8: rebuild clean, then rebuild trust

Once the IR firm gives the all-clear, recovery has two tracks running in parallel.

The technical track is theirs to lead: rebuild servers from known-clean backups, rotate every password and key, patch whatever let them in, and turn on multi-factor authentication everywhere it was missing. Do not restore the old system as-is. Restoring the same unpatched box just invites the same crew back.

The trust track is mine. After the dust settles, here is what I help operators do:

• Audit what the internet now says. Search your hotel name. Search it in ChatGPT, Gemini, and Google’s AI overviews. If a breach story is circulating, you need to know exactly how it is being summarized, because that summary is now competing with your own pages for attention. This is the core of AI visibility and AEO/GEO work.
• Publish your own account. A clear, factual page on your site about what happened and what you fixed gives search engines and AI tools a primary source to cite instead of only the rumor mill.
• Rebuild reviews deliberately. Encourage recent happy guests to leave honest reviews so the freshest signal is not the crisis. Steady, genuine reputation content buries a bad month faster than silence does.
• Re-earn authority. Local coverage of “how this hotel handled a breach responsibly” is a far better story than the alternative, and it builds the kind of links that move rankings. That is the long game in PR and authority links.

I want to be honest about timelines, because false promises are how people get burned twice. Technical recovery from a serious ransomware event commonly runs one to four weeks before you are fully back on clean systems. Search and reputation recovery is slower and not guaranteed on any fixed date. We can maximize the odds and the speed by feeding the engines accurate primary sources and fresh positive signal, but anyone promising a guaranteed return to your old rankings by a specific Tuesday is lying to you.

The unglamorous prevention that makes all of this survivable

Everything above gets ten times easier if you did three boring things beforehand.

1. Backups you have actually tested. Offline or immutable copies, restored on a schedule so you know they work. An untested backup is a hope, not a plan.
2. Network segmentation and MFA. Guest Wi-Fi, PMS, and back office should not share one flat network. Multi-factor authentication on every admin login stops most of these before they start.
3. A written plan with phone numbers. Insurer hotline, IR firm, lawyer, processor, your web and SEO contact. Printed, because the file you need might be the one that is encrypted.

Ransomware is a crisis where the search and reputation fallout outlasts the technical one by months. If you want a second set of eyes on how your hotel currently shows up across Google and AI search, and a plan to protect that surface before anything goes wrong, book a free intro call and we will walk through your specific exposure together.