Ransomware attack in Washington Hotel: lessons for the cybersecurity and resilience of the Japanese hotel

The Washington Hotel, which operates under the Fujita Kanko Inc. (WHG Hotels), confirmed in mid-February 2026 that its servers suffered an intrusion from a Ransomware-type attack. According to the company's official communication, the incident was detected on Friday, February 13, at 22: 00 (local time) and the IT team immediately disconnected the committed servers from the network to stop the spread of the attack. The company activated an internal working group and hired external cybersecurity experts, in addition to putting the case in the hands of the police to investigate it thoroughly. The official version of the event is available in your public note: Company communication.

Washington Hotel operates as a business-oriented brand with 30 establishments in Japan and a joint capacity that exceeds 11,000 rooms, receiving almost 5 million guests a year, according to Fujita Kanko's corporate figures. The business page and integrated report of the company explain the size of the group and its operational volumes, which help to measure the possible reputational and economic impact of a gap in this sector.

For the time being, the investigation has made it possible to confirm that the attacker obtained access to "several business data" stored on the affected servers, although the company notes that the customer information is guarded by third-party managed servers and, so far, no unauthorized access to these systems has been detected. This means that, according to the preliminary investigation, the personal data of guests should not have been compromised. However, the investigation continues and the official response warns that any additional findings will be informed in a timely manner.

In operational terms, the incident already had practical effects in some of the brand's establishments: there were temporary interruptions in the availability of card payment terminals and other specific inconvenience, although the company claims that no "significant operational disturbances" have been recorded throughout its network. The financial cost assessment of the event is ongoing.

One of the usual concerns following these attacks is double extortion: in addition to encryption systems, criminals filter sensitive data if they are not rescued. In the case of Washington Hotel, there is so far no record that any group of Ransomware has claimed the incident in the extortion portals that, for example, monitors the specialized media BleepingComputer although this absence of claim does not imply that the threat has disappeared.

This incident does not occur in the vacuum: in recent weeks and months Japan has seen a wave of attacks on companies in different sectors, which has focused on the maturity of corporate defenses and the need to apply patches quickly. In this sense, the Japanese incident response organization JPCERT / CC warned that malicious actors were exploiting a command injection vulnerability in the Soliton Systems FileZen product, listed as CVE-2026-25108, and that this file exchange team is widely used in the country. JPCERT / CC's notice documents the active exploitation and recalls that the same product was already attacked in 2021: notice of CVE-2026-25108 and 2021 incident record.

In view of this scenario it is necessary to rethink how an effective response to a Ransomware is developed and what learning leaves cases like that of Washington Hotel. First, early detection and disconnection of achieved systems - as the group's technical team did - reduce the attacker's ability to move laterally over the network. Collaboration with security forces and external forensic analysts is key to understanding the scope of access and to preserving evidence. Another important lesson is the separation of critical environments: hosting customer information in different and managed infrastructure with independent controls can limit the impact on personal data.

There are also proactive measures that every organization must strengthen: network segmentation, rigid access controls, multifactor authentication, immutable and offline backup, and regular restoration tests. From the operational point of view, having contingency plans for payments and billing can mitigate immediate pain when equipment such as card terminals are temporarily out of service. Finally, clear communication to customers, suppliers and regulators is essential to maintain confidence and fulfil legal obligations.

For regular travelers and customers, the practical recommendation is to be attentive to the company's official communications and to review unusual movements in bank accounts if a payment has been made on the dates concerned, although the company indicates that the card systems were managed separately. From a collective point of view, the wave of recent incidents in Japan and other regions stresses that cybersecurity is a shared responsibility: technology providers, integrators and end-users must coordinate efforts to reduce the attack area.

The investigation into the intrusion in Washington Hotel is still open. In the meantime, the company has promised updates if additional relevant data emerge. For those who wish to follow the official developments of the case, the main source is the corporate statement already mentioned: note by Washington Hotel and to understand the technical risk related to the operation of FileZen, the JPCERT / CC communiqué should be consulted: Technical notice of JPCERT / CC. If you need more context on how Ransomware groups act and how complaints are monitored on the network, reports from specialized media such as BleepingComputer they offer daily follow-up to these threats.

In short, although the Washington Hotel alert does not for now point to a massive exhibition of guest data, the incident is another call for attention for companies and system managers to strengthen defenses, automate the response and maintain resilience practices that reduce the impact of future attacks.