Ashford to Settle Negligence-Based Charges for Misleading Investors Regarding Cyber Incident

The U.S. Securities and Exchange Commission filed settled charges against Ashford Inc. for materially false and misleading disclosures to investors regarding a cyber incident.
Ashford, a formerly registered issuer based in Dallas, Texas, is an alternative asset management company with a portfolio of strategic operating businesses that provides global asset management, investment management, and related services to the real estate and hospitality sectors.
According to the SEC’s complaint, Ashford learned in September 2023 that it had been subjected to a cybersecurity attack and ransomware demand by a foreign-based threat actor. As a result, at least 22 hotels within Ashford’s network were unable to access certain data for daily operations. As part of the attack, the threat actor gained access to Ashford’s servers and exfiltrated more than 12 terabytes of data – approximately 78 million pages of Ashford data – which was stored on Ashford’s internal computer systems and which contained, among other things, sensitive hotel guest information.
The threat actor initially demanded a ransom from Ashford to provide the decryption key, which they requested to be paid in Bitcoin. As part of its demand, the threat actor provided Ashford with a list of files it exfiltrated and notified Ashford that guest incident reports were included among the exfiltrated documents. The file names in the list suggested that the files contained sensitive customer information. For example, hundreds of file names contained titles such as “guest incident report” and “guest folio” with a corresponding customer name and/or date of their stay.
In a quarterly report filed with the SEC in November 2023, Ashford indicated that it had “completed an investigation” and had “not identified that any customer information was exposed.”
Ashford made similar disclosures in two additional quarterly reports, along with Ashford’s annual report filed with the SEC for the period ended Dec. 31, 2023. However, Ashford knew or should have known that the exfiltrated data contained sensitive personally identifiable information and financial information related to guests.
Since December 2022, Ashford had maintained an incident response plan, or IRP, to respond to potential cybersecurity attacks. Included within the IRP, the company stated, “[a]n incident is typically either one that compromises functionality (functional impact table), or compromises information (information impact table). Rare are incidents that combine factors from both tables.” 20. The September 2023 cyber incident compromised both Ashford’s functionality and information.
Some of the exfiltrated files contained information about customers, according to the SEC complaint, including state identification card images, bank account numbers, last four digits of credit card numbers, incident reports, addresses, phone numbers, vehicle descriptions and license plate numbers, folios, and dates of stay. One file contained the sensitive personal identification information of a customer, including a photocopy of the customer’s driver’s license with name, address, and date of birth. Another document provided sensitive financial information of a customer, including a copy of the check Ashford received for payment, which identified the name, routing number, and bank account for the customer.
The SEC’s complaint, filed in the U.S. District Court for the Northern District of Texas, charges Ashford with violating Section 17(a)(3) of the Securities Act of 1933 and Section 13(a) of the Securities Exchange Act of 1934 and Rules 12b-20, 13a-1, and 13a-13 thereunder.
Without admitting or denying the SEC’s allegations, Ashford agreed to settle the SEC’s charges, consenting to an injunction and an order to pay a civil penalty of $115,231, which considers Ashford’s assistance to the SEC staff in its investigation. The settlement is subject to court approval.
As previously reported by The DI Wire, the SEC has included cybersecurity as an area it will prioritize examination of this year.