Ransomware victim disclosure
← All victimsOna Hotels & Apartments
listed as www.onahotels.com · Claimed by Lynx · listed 10 months ago
Status timeline
- ListedSep 4, 2025
- Data leakeddate unknown
At a glance
- Group
- Lynx
- Status
- Data leaked
- Country
- Spain
- Sector
- Hospitality and Tourism
- Listed on leak site
- Sep 4, 2025
About the victim
AI dossier — public-source company profileOna Hotels & Apartments is a Spanish hospitality group operating a large portfolio of hotels, aparthotels, and vacation apartments across popular Spanish destinations including Costa del Sol, Tenerife, Mallorca, Barcelona, Lanzarote, Costa Dorada, and the Canary Islands, as well as properties in Morocco and Andorra. The group also manages the Be Live brand of hotels. Their official booking site is www.onahotels.com.
- Industry
- Hotels & Apartment Tourism
Attack summary
Severity: high — Data is marked as published by a known ransomware group targeting a hospitality operator, which likely holds significant volumes of guest PII (names, passport details, payment information, booking data) across dozens of properties in multiple countries. Published data status elevates severity beyond medium even without a stated data size.The Lynx ransomware group has claimed an attack on Ona Hotels & Apartments and the disclosure status is listed as data_published, indicating that exfiltrated data has been released. No specific data size or ransom amount has been stated in the post.
Data the group says was taken
AI dossier — extracted from the leak post- Guest booking records
- Customer personal information
- Internal business documents
- Financial records
What the group claims
Ona Hotels pone a tu disposición los mejores alojamientos de los mejores destinos. Entra ahora y reserva al mejor precio en la web oficial.
Sources
Source
Indexed 10 months agoThis page surfaces a public ransomware disclosure indexed by Darkfield. Original posts come from the operator's own leak site; we cross-check against ransomware.live, RansomLook and RansomWatch where applicable. Share this URL freely.
Is this your supplier? Your competitor? You?
Pro plans monitor your domain, corporate emails, and crypto wallets across every new ransomware leak-site post, breach dump and Telegram callout — alerts within 5 minutes.

