Rules Navigator

Hotel asset manager settles with SEC over cyber breach misreporting  

Computer used in low light.
Photo: boonchai wedmakawand/Getty Images

Alexander Barzacanos

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

The charges reflect the SEC’s sustained focus on accurate cybersecurity statements.

The SEC has announced settled charges against Ashford Inc, a Dallas-based investment adviser to real estate and hospitality companies, over accusations that it misled investors about scope of a cyber breach in its mandatory financial reports.

The company agreed to pay $115,000 to settle the case, an amount the SEC credited to Ashford’s cooperation.

The SEC stated in its complaint that Ashford was the victim of a cyberattack in September 2024, instigated by an unnamed “foreign threat actor.” That attack exfiltrated 12 terabytes of data from Ashford’s servers, and locked servers containing data for at least 22 of its hotel clients.

In a ransom message, the hackers informed Ashford that they had stolen sensitive hotel customer data. That included personally identifiable information such as IDs, bank account numbers, and addresses. To back up those claims, the hackers highlighted files named “guest incident report” and “guest folio” which included customer names and the dates of their stays.

Ultimately, Ashford successfully negotiated with the hackers and they agreed to destroy the data.

Misreporting the breach

In its quarterly Form 10-Q covering Q3 2023, Ashford identified that it had been attacked and that employee data had been “potentially lost,” but stated that it had “not identified that any customer information was exposed.”

According to the SEC, Ashford went on to substantively repeat those inaccurate statements in two subsequent Forms 10-Q, and again in its annual Form 10-K.

The SEC accused Ashford of negligence in its failure to perceive the customer information leak, stating that it knew, or should have known, that the data had been compromised. The agency based that determination on a finding that Ashford could have easily verified that customer information was stolen had it reviewed the file trees for the compromised data.

Rule violations

For making the misleading statements, Ashford violated Section 13(a) of the Securities Exchange Act of 1934 and Rules 12b-20, 13a-1, and 13a-13 thereunder.

Because Ashford made the misleading statements in the course of the offer and sale of securities, Ashford violated Section 17(a)(3) of the Securities Act.

, , , , , , ,

You may also like