In January 2025, the U.S. Securities and Exchange Commission (SEC) took a decisive action against Ashford Inc., a Dallas-based asset management firm primarily serving the hospitality industry, for its failure to disclose critical details about a cyberattack that compromised sensitive information of approximately 46,000 hotel guests [3][5]. A copy of the SEC’s January 13, 2025, complaint in the enforcement action can be found here.
The Cyberattack: What Happened?
The events leading to the SEC’s action began in September 2023 when Ashford Inc. fell victim to a ransomware attack carried out by a foreign-based threat actor. The attack affected 22 hotels under Ashford Inc.’s management. The threat actor gained access to the Ashford Inc.’s servers, encrypted them and exfiltrated more than 12 terabytes of data stored on the company’s internal systems. This data included sensitive hotel guest information, such as personally identifiable information (PII), financial details, addresses, phone numbers, vehicle descriptions, license plate numbers, guest incident reports, guest folios, and dates of stay [3][4]. On September 25, 2023, Ashford Inc. obtained the encryption key from the threat actor and received assurances that the exfiltrated data would be destroyed [4].
However, following the attack, Ashford Inc. issued public statements assuring stakeholders that no customer data had been compromised, a claim later alleged by the SEC to be false. In November 2023, Ashford Inc.’s filing with the SEC stated that it had “completed an investigation” and “had not identified any customer information as exposed.” Similar disclosures appeared in Ashford Inc.’s 2023 10-K report and its quarterly filings for the first and second quarters of 2024 [3].
However, Ashford Inc. knew or should have known that the exfiltrated data contained sensitive PII and financial information. This discrepancy between the actual impact of the attack and the company’s public disclosures highlighted significant shortcomings in its internal communication, incident response, and assessment of the attack’s severity [3].
The SEC’s Enforcement Action
On January 13, 2025, the SEC filed a settled complaint against Ashford Inc. in the Northern District of Texas. The complaint alleged that the company violated Sections 13(a) and 17(a)(3) of the Securities Exchange Act of 1934 and related rules [5].
The SEC charged Ashford Inc. with failing to provide accurate and timely disclosures regarding the cyberattack’s impact. The Commission emphasized that the company’s misrepresentation of the incident not only misled investors but also violated its obligation to maintain transparency in cybersecurity matters [3].
Without admitting or denying the allegations, Ashford Inc. agreed to settle the SEC’s charges by consenting to an injunction and paying a civil penalty of $115,231 [5].
A Broader Trend: Cybersecurity Accountability
The enforcement action against Ashford Inc. reflects a broader trend of regulatory bodies worldwide increasing scrutiny of how organizations handle and disclose cyber incidents. With the SEC’s ongoing efforts to enforce cybersecurity-related regulations, companies must reassess their practices to avoid similar repercussions.
The Ashford Inc. case highlights the importance of aligning incident response with regulatory expectations. Beyond technical remediation, organizations must ensure accurate and comprehensive communication of cybersecurity incidents, particularly when investor confidence and compliance are at stake [2].
As the cybersecurity landscape evolves, organizations must focus not only on preventing and mitigating attacks but also on strengthening governance and communication. Transparency and trust are essential for building confidence among stakeholders and meeting regulatory expectations
Key Takeaways
- Although it took a long time for the SEC to charge Ashford Inc., the action highlights the agency’s heightened focus on ensuring corporate accountability in the wake of cyber incidents
- Transparency is non-negotiable; organizations must provide truthful and timely disclosures about cyber incidents. Misleading statements can not only damage reputations but also lead to legal and financial penalties.
- A cybersecurity incident is not just a technical challenge; it is a business issue that requires a coordinated response across multiple teams. Effective collaboration among IT, legal, compliance, and public relations teams is essential to managing the crisis. A clear understanding of the incident’s scope and impact depends on seamless communication between IT teams, executives, and external stakeholders. Organizations must invest in a comprehensive incident response plan to ensure swift and effective resolution.
- As regulators place increasing emphasis on cybersecurity transparency, organizations must stay updated on evolving disclosure requirements and ensure compliance.
References
- Image from KBI media. https://kbi.media/separating-fact-from-fiction-the-importance-of-transparency-in-cybersecurity/
- Blackhat Middle East and Africa, January 15, 2025. What does transparency in cybersecurity really mean. https://insights.blackhatmea.com/what-does-transparency-in-cybersecurity-really-mean/
- U.S. Securities and Exchange Commission. Litigation Release No. 26215 / January 13, 2025 – Ashford Inc. Inc. To Settle Negligence-Based Charges for Misleading Investors Regarding a Cyber Incident. https://www.sec.gov/enforcement-litigation/litigation-releases/lr-26215
- Alexander Barzacanos. January 16, 2025. Hotel asset manager settles with SEC over cyber breach misreporting. https://www.grip.globalrelay.com/hotel-asset-manager-settles-with-sec-over-cyber-breach-misreporting/
- Kevin M. LaCroix. January 16, 2025. SEC Files Cyber Disclosure Enforcement Action Against Asset Manager. https://www.dandodiary.com/2025/01/articles/cyber-liability/sec-files-cyber-disclosure-enforcement-action-against-asset-manager/
Great blog, Cynthia! I’m baffled by Ashford Inc.’s decision to try and cover up such a significant cyber attack. No organization is immune to cyber threats, but how you respond is what truly matters in the recovery process. Transparency is key not just with law enforcement but also with your clients, as it helps them stay informed and vigilant against any potential fallout. Ashford’s decision to conceal the breach was both irresponsible and unprofessional. I hope this serves as a wake-up call and a deterrent to other companies, emphasizing the importance of integrity and accountability in the face of cyber threats.
The importance of transparency and accountability in cybersecurity cannot be overstated. It’s a reminder that cybersecurity isn’t just a technical issue but a significant business concern that affects trust and investor confidence. One crucial takeaway is that misleading statements about cyber incidents can not only damage reputations but also lead to legal and financial penalties. Thanks for shedding light on this important topic, Cynthia.
I completely agree that transparency is key when it comes to cyber incidents. Companies owe it to their clients and the proper authorities to be open about what’s happening. This case really highlights the need for businesses to follow SEC guidelines on reporting cybersecurity risks and incidents, making sure they’re transparent and protecting investors from potential harm caused by unreported or unnoticed breaches. It’s a reminder of how much more focus is being placed on cybersecurity regulations and the responsibility companies have to manage and disclose these risks the right way.
I will agree with everyone’s opinion as this case with Ashford Inc. really highlights the importance of transparency and having a solid plan in place for cybersecurity incidents. We have to understand how crucial it is to involve cybersecurity experts early on to fully understand the scope of an attack. Sharing honest updates, even if investigations are still ongoing, could help maintain trust with stakeholders and regulators. It’s also a reminder for companies to regularly review their disclosure policies and ensure they align with evolving regulations. Being proactive can go a long way in avoiding legal and reputational risks in situations like this!
Wow! This is an interesting post, Cynthia. This shows that cybersecurity and privacy of customer data is not just about safeguards, it is also about organizational reputation and the damages that can be caused from non-compliance to legislations or regulations. The misrepresentation of the situation from Ashford Inc. was in extreme violation of data privacy laws and this also begs the question of the impacts these would’ve had on the guests whose data were exposed. The false statement that no customer information was exposed would’ve prevented any procedures or mitigations to reduce the impact of the breach to at least an acceptable level which shows a deficiency in their incident response procedures. It is good to see that they were held accountable for their unethical act.
Excellent post, Cynthia. I’m astounded that Ashford would not only attempt to cover up the exfiltration of 12 TB worth of data, but that the SEC would fine a company with a market valuation of $17M a mere $115K after not only negligent disregard to personal information given that the leak happened, but a betrayal to their customers by claiming that it hadn’t even occurred. It sounds quite similar to the fines that the EU hands out to large tech corporations for privacy violations, which like this are so small in comparison to how much the company makes that its doubtful that it will incentive the company away from bad behavior.
I completely agree, Kyle. The SEC’s fine does seem disproportionately small given the scale of the data exfiltration and the significant impact on affected individuals. You make a great point that such minimal penalties, both in the U.S. and the EU, often fail to act as a strong deterrent for companies. This highlights the need for more meaningful penalties that truly reflect the gravity of these violations.
Very interesting post Cynthia! I was impressed by the amount of data that has been collected, and that many of that information was PI. It is very concerning how companies’ disclosure policies are applied, this case has been active since 2023 and still few measures have been taken to control how companies should inform their clients about the incidents. It is a good reminder of how incidents should be handled. Thanks for sharing!
Fantastic post Cynthia!! Your research demonstrates how crucial it is to disclose cyber incidents honestly and promptly, emphasising how misunderstandings can damage investor confidence and result in legal repercussions. Your focus on regulatory compliance and cross-functional cooperation provides a useful road map for businesses negotiating the intricate relationship between governance and cybersecurity.
Cynthia, this post shed light on the regulatory challenges companies face in the wake of cyber incidents, particularly emphasizing the SEC’s role in enforcing transparency. I learned about how Ashford Inc.’s mishandling of the ransomware attack led to significant legal and reputational repercussions. The case highlights the importance of not just technical remediation but also accurate communication with stakeholders. This is a timely reminder of how critical it is for organizations to align incident response strategies with regulatory expectations.
The chaotic actions of Ashford Inc. were incredibly frustrating. They attempted to cover up the situation by acquiring the encryption key from the threat actor and assurances of exfiltrated data would be destroyed. This was a poor decision and they will lose public trust and confidence. This case underscores the increasing importance of transparency in cybersecurity disclosures and the necessity for businesses to handle cyber incidents responsibly. It is crucial to be transparent when sensitive customer data is involved. Companies must take this as a lesson to ensure they are honest and clear when responding to cyber threats.
Great Insight! While no company is safe from cyber threats, how you respond to them is what really counts. Being transparent—not just with authorities but also with your clients—helps everyone stay aware and protected from the potential fallout. Ashford’s attempt to cover up the breach was not only irresponsible but downright unprofessional. This serves as a wake-up call for other companies, stressing the importance of accountability, integrity, and clear communication when it comes to cybersecurity. It’s clear that staying transparent and following SEC guidelines is essential to protect both customers and investors in today’s increasingly regulated environment.
Exciting post Cynthia! This appears to be a really serious case of miscommunication or misinformation, involving Ashford Inc. The entire incident also raises some serious concerns about Ashford’s handling of the fallout. However, it appears that the SEC’s action serves as a warning to handle cybersecurity events more effectively going forward. After a breach, it’s critical to maintain transparency, stay updated on the exposed data, and make sure all applicable regulations are being followed.
Interesting post Cynthia!
Its bad that clients data is breached and worst to be lied to! Ashford Inc. should know better that concealing a cyberattack has never made it better rather it cost more both reputationally and financially! I hope lessons were learnt and they do better and are able to regain the trust of their client which would be a long road to recovery.
Nice post, Cynthia. It is shocking to see how long it took for the SEC to act on this. Ashford Inc. really put their customers information at risk and then tried to cover it up. This should be a wake-up call for all businesses about the importance of transparency and cybersecurity awareness.
Great post, Cynthia!
I’m genuinely shocked that Ashford Inc. went so far as to negotiate with the threat actor in an attempt to cover up the breach. The real question is, how could they be certain that the exfiltrated data would actually be destroyed?
Moreover, what if the data had already been sold or used for another hidden agenda?
Kudos to the SEC for identifying the deception and taking action!