Best Western CIO Scott Gibson On The Data Breach That Wasn't

Best Western CIO Scott Gibson hasn't been getting much sleep. "I've decided that sleep is highly overrated," he says ruefully.

Gibson has been dealing with a small data breach that somehow became "one of the most audacious cyber-crimes ever," as Glasgow's Sunday Herald put it.

The Sunday Herald on Monday reported that the previous Thursday night, an "Indian hacker successfully breached the IT defenses of the Best Western Hotel group's online booking system and sold details of how to access it through an underground network operated by the Russian mafia."

Eight million records were stolen, according to The Herald.

Gibson says that's just not accurate. There was a data breach. It occurred at the 107-room Best Western Hotel am Schloss Kopenick in Berlin, Germany. But it didn't involve 8 million records.

InformationWeek spoke with Gibson about what happened.

Gibson: [The Herald] asked us about apples. We gave them comments about apples. Then they wrote a story about oranges. I think that goes a long way to explain what they published and our response the original report. It was a few facts. Those facts were of course very alarming, because it's always alarming when you're talking about the security of the information that belongs to your customers. But they were very limited in scope. So we thought we had an understanding of the story they were telling and we knew we had an understanding of what had actually happened. So I would say probably we didn't give the response that we would if they had told us what they were actually going to report.

InformationWeek: Has The Herald issued a retraction or correction?

Gibson: No, we've certainly asked them to do that but they really haven't been responsive to us.

InformationWeek: How did the Herald arrive at a figure of 8 million?

Gibson: It's hard to speculate where they got that number. If I had to guess I'd say they just did some math. In their original interchange with us, what they asked for was some general information about Best Western. They asked us to corroborate how many hotels we had in Europe and how many guests we would have in a year and they asked us questions like that. Those are the kinds of questions we routinely corroborate because they just go to background. It seems to me that they were taking this information and turning it into these allegations.

InformationWeek: So what really happened?

Gibson: I think we understand that pretty clearly. Somehow somebody gained access to one user ID of one employee at a hotel. As we said in one of our press releases, the universe of data that was subject to exposure on behalf of that one hotel was about 115 records. And we know with certainty at this point that 10 records were viewed by somebody who was making use of that unauthorized access.

InformationWeek: Is there a disconnection between how the media and the public see data breaches and how IT people view them?

Gibson: I think that's a great question. I think that people are generally fearful of what will happen with their personal information. While it's a very serious matter and we take it very seriously, I think that in fact that these kinds of stories play on that fear. While on the one hand we have a clear responsibility -- and we at Best Western take that responsibility seriously -- to communicate with our customers in the event we have a problem, at the same time I think that when we run sensational stories about these kinds of breaches and those stories are uncorroborated stories and the information in them isn't factual, I think it generates a tremendous amount of fear. It's almost as if we're terrorizing these customers and we're terrorizing people with the idea of having their information stolen. It's a legitimate fear but I think that we should be able to find a way to talk about it when it's real and not use it in a sensational way when it's not real.

InformationWeek: Is there way to compare physical security incidents with online security, as a yardstick for the relative seriousness or insignificance of data breaches?

Gibson: That's a good question and I don't know if I have a ready answer to it. The thing that I would say about data security and personal security, given the nature of systems, is the opportunity to impact a lot of people is much, much greater when you're talking about information security. [As a consequence], information security is perceived as a much bigger problem. And I think that that perception is real. One of the obligations that we have when we built these systems and put these systems together is to do everything we can to safeguard that information on behalf of every customer.

The one thing I would say is that while I think The Herald really got it wrong here and really oversold this story and said a lot of things that weren't true, everybody should understand that 10 of our customers had their information compromised. And we take that very, very seriously. We took it seriously when the report first came in and we've taken it seriously throughout this process. We have worked directly with all of the credit card suppliers that are involved in this. We have reported it to the FBI. Our affiliate organization in Germany is working with the German police on an investigation of this. It's a very serious deal to those 10 customers and we take it very seriously.

InformationWeek also recently published its 2008 Security Survey entitled "We're Spending More, But Data's No Safer Than Last Year." Download the report here (registration required). InformationWeek: How did the breach happen?

Gibson: We know today that there was a virus discovered on the personal computer of [an employee] on Friday morning in Germany. We didn't discover it; they discovered it because they were the ones that manage that computer. I know that German authorities are investing that. I know that the story that came out in The Herald argued that a Trojan horse program was used to capture the user's name and password. So I think that's what happened. But not having examined the computer, I don't know for certain. We expect to know that very soon

InformationWeek: Has the data security discussion you have with senior management changed over the past year?

Gibson: I think I'm fortunate to work with an executive team that understands the severity of the data security problem. I've been with Best Western for a little over three years and I have never found it to be a challenge to have the other senior executives agree with me about the importance of that. I think we're very focused on it. The hotel business is a very personal business. In order for you to stay in a hotel, you have to put a lot of trust into the hotel and the hotel company before you make that decision. And that trust extends to the information that you give them to make it possible for you to stay in that hotel. Our whole business is based on trust. So we take the safety and the protection of our customers as seriously as it can be taken.

InformationWeek: Any other thoughts on the incident?

Gibson: One incident like this is one too many. What we know today about what happened is precisely what we knew on Friday. The story that came out over the weekend was a tremendous shock to us. Almost as soon as this was reported to us by the journalist, we understood what had happened, we knew what the extent of it was, we knew who was impacted by it. We were taking the appropriate action. The only thing that has changed since that date is there has been a lot of wild speculation about what has happened, but we have even more confidence about what happened since Friday.

There is one thing I'd like to add. I said earlier that we had reported the incident to the FBI and brought them into the investigation. The FBI at this point has decided not to pursue an investigation, and they've made that decision on seeing no evidence of a crime of [the magnitude claimed by The Herald].