{
	"id": "dc3e3210-d899-4748-b16e-803ee9497020",
	"created_at": "2026-04-06T00:09:38.726956Z",
	"updated_at": "2026-04-10T13:13:04.864265Z",
	"deleted_at": null,
	"sha1_hash": "2911236b4731472a63693a30c44911f361530b25",
	"title": "Desorden Group Reportedly Hacks Centara Hotels \u0026 Resorts Within 10 Minutes After Recovering From the First Data Breach",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 54373,
	"plain_text": "Desorden Group Reportedly Hacks Centara Hotels \u0026 Resorts\r\nWithin 10 Minutes After Recovering From the First Data Breach\r\nBy Terrell Byrd\r\nArchived: 2026-04-05 16:31:15 UTC\r\nBreachExchange mailing list archives\r\nFrom: Terrell Byrd \u003cterrell.byrd () riskbasedsecurity com\u003e\r\nDate: Mon, 8 Nov 2021 13:45:45 -0500\r\nhttps://www.cpomagazine.com/cyber-security/desorden-group-reportedly-hacks-centara-hotels-resorts-wit\r\nThe Desorden hacking group reportedly hacked a group of luxury hotels again\r\nafter a deal to pay a $900,000 ransom collapsed.\r\nThe hacking group said it had satisfied all the hotel’s demands, including\r\nproviding samples of every database stolen before the management pulled out\r\nof the deal on Tuesday.\r\nDesorden hacking group claimed to have breached the hotels again within 10\r\nminutes and exfiltrated 400 GB of files, including personal details and the\r\ncompany’s corporate information.\r\nWorth $11.6 billion, the Chirathivat family owns the Central Group that\r\noperates the Centara Hotels \u0026 Resorts that suffered the data breach.\r\nCentara Hotels \u0026 Resorts CEO Thirayuth Chirathivat said they learned of the\r\ninitial data breach that affected “a limited section of our network” on\r\nOctober 14.\r\nHe admitted that the hackers had accessed some customer information but not\r\ncredit card and financial information. The company added that it had\r\ncommenced an investigation into the data breach and would provide more\r\ninformation when it becomes available.\r\nDesorden told DataBreaches.net that the hotel began its data recovery\r\nefforts and negotiation on October 16 and recovered part of the data on\r\nhttps://seclists.org/dataloss/2021/q4/81\r\nPage 1 of 3\n\nOctober 17.\r\nHowever, the hacking group claims to have breached the servers again within\r\n10 minutes to prove they still had access. It also mocked the “reputable\r\nconsultant” contracted by the Centara hotels after the initial data breach.\r\n“Reputable consultant, we will leave it for the public to think about it,”\r\nthe group said.\r\nDesorden claims to have exfiltrated hundreds of gigabytes, affecting\r\nmillions of customers worldwide after compromising the hotel’s entire\r\nnetwork. The group did not disclose whether the incident was a ransomware\r\nattack.\r\n“We basically brought down their entire backend, which consists of 5\r\nservers,” Desorden claims. “In total, over 400 GB of files and data was\r\nstolen over a course of 10 days.”\r\nAccording to Desorden, the data breach affected millions of customers from\r\nall countries who stayed in over 70 luxury hotels operated by Central Group\r\nbetween 2003 and 2021. They include “luxury first-class hotel guests” and\r\ncustomers who made advanced bookings in 2021.\r\nThe group said that the stolen data includes name, passport number, ID\r\nnumber, phone, email, the residence of some hotel guests, their booking\r\ninformation including check-in and departure time, and other details. It\r\nalso claims to have accessed “all financial data, corporate data, employee\r\ndata” and other details.\r\nAdditionally, Desorden claims it hacked other companies under the Central\r\nGroup management and will publish the stolen data soon.\r\nIn early October, Desorden had claimed responsibility for hacking the\r\nCentral Restaurants Group in Thailand belonging to Central Group.\r\nEarlier, the group took responsibility for hacking Acer India and leaking\r\nmore than 60 GB of customer information online. Desorden subsequently\r\nhacked Acer Taiwan to make a point after warning that the company had poor\r\ncybersecurity practices and operated additional vulnerable servers in\r\nIndonesia and Malaysia.\r\nDesorden is developing a pattern that involves mocking the victim and\r\napparently executing follow-up attacks to make a point. However, the\r\nsuccess of the initial and follow-up attacks seems to bolster Desorden’s\r\ncredibility.\r\nhttps://seclists.org/dataloss/2021/q4/81\r\nPage 2 of 3\n\n_______________________________________________\r\nBreachExchange mailing list sponsored by Risk Based Security\r\nBreachExchange () lists riskbasedsecurity com\r\nIf you wish to Edit your membership or Unsubscribe you can do so at the following link:\r\nhttps://lists.riskbasedsecurity.com/listinfo/breachexchange\r\nCurrent thread:\r\nDesorden Group Reportedly Hacks Centara Hotels \u0026 Resorts Within 10 Minutes After Recovering\r\nFrom the First Data Breach Terrell Byrd (Nov 10)\r\nSource: https://seclists.org/dataloss/2021/q4/81\r\nhttps://seclists.org/dataloss/2021/q4/81\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://seclists.org/dataloss/2021/q4/81"
	],
	"report_names": [
		"81"
	],
	"threat_actors": [
		{
			"id": "e5ccc758-f2a5-417b-ba5c-70edf39bc048",
			"created_at": "2022-10-25T16:07:24.481513Z",
			"updated_at": "2026-04-10T02:00:05.005021Z",
			"deleted_at": null,
			"main_name": "Desorden",
			"aliases": [],
			"source_name": "ETDA:Desorden",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "3a69a32c-82d0-431b-b5ab-34a070bf8d94",
			"created_at": "2023-11-08T02:00:07.154393Z",
			"updated_at": "2026-04-10T02:00:03.428568Z",
			"deleted_at": null,
			"main_name": "Desorden Group",
			"aliases": [],
			"source_name": "MISPGALAXY:Desorden Group",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b4f79ca0-e94b-4abe-a61e-ea3d2a2458ad",
			"created_at": "2022-10-25T16:07:24.444096Z",
			"updated_at": "2026-04-10T02:00:04.994412Z",
			"deleted_at": null,
			"main_name": "ALTDOS",
			"aliases": [
				"0mid16B",
				"ALTDOS",
				"Desorden",
				"GHOSTR"
			],
			"source_name": "ETDA:ALTDOS",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434178,
	"ts_updated_at": 1775826784,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2911236b4731472a63693a30c44911f361530b25.pdf",
		"text": "https://archive.orkl.eu/2911236b4731472a63693a30c44911f361530b25.txt",
		"img": "https://archive.orkl.eu/2911236b4731472a63693a30c44911f361530b25.jpg"
	}
}