Guests at a luxury hotel owned by the Thompson Group could see their private emails published online, according to court documents filed last week.
The documents detail how a hacker set up an open Wi-Fi portal at the hotel and snooped on web emails that were sent through the system.
The hacker then attempted to extort money from the hotel chain by threatening to publish the emails.
"On 30 September the defendant sent an email to one of the principles of Thompson," the court documents read.
"That email taunted the plaintiff about the defendant's receipt of the unauthorised information, attempted to embarrass key employees of Thompson and contained an implied threat to further disseminate the stolen emails to the public.
"Indeed, in an attempt to embarrass Thompson, the defendant sent the material it stole to at least one third party."
The IP address of the sender was identified as coming from Sunnyvale in California. Further details about the identity of the hacker, who has not been caught, are not included.
The attack will be deeply embarrassing to the Thompson Group, which has luxury hotels in New York, Los Angeles and Washington DC. The company could also be sued if embarrassing details about its guests become public.
The case shows that hotels and other venues offering Wi-Fi will have to beef up security sooner rather than later, according to David Hobson, managing director of Global Secure Solutions.
"Many hotel guests use webmail, rather than email client software, on their laptops for the sake of convenience," he said.
"If a hacker gains access to an open Wi-Fi network in the hotel, they can easily eavesdrop on the web mail sessions with potentially embarrassing consequences for the guests and the hotel concerned."
Hobson warned that other hotels should now be looking to their Wi-Fi security procedures to prevent a possible run of copycat attacks.
"Using Wi-Fi passwords is not rocket science, it's common sense security," he said. "While this has highlighted one potential issue with open web mail, it also highlights issues with all open public hotspots."
by Iain Thomson