Best Western CIO Scott Gibson On The Data Breach That Wasn't

Gibson has been dealing with a small data breach that somehow snowballed into eight million records stolen and tagged as "one of the most audacious cyber-crimes ever."
InformationWeek: How did the breach happen?

Gibson: We know today that there was a virus discovered on the personal computer of [an employee] on Friday morning in Germany. We didn't discover it; they discovered it because they were the ones that manage that computer. I know that German authorities are investing that. I know that the story that came out in The Herald argued that a Trojan horse program was used to capture the user's name and password. So I think that's what happened. But not having examined the computer, I don't know for certain. We expect to know that very soon

InformationWeek: Has the data security discussion you have with senior management changed over the past year?

Gibson: I think I'm fortunate to work with an executive team that understands the severity of the data security problem. I've been with Best Western for a little over three years and I have never found it to be a challenge to have the other senior executives agree with me about the importance of that. I think we're very focused on it. The hotel business is a very personal business. In order for you to stay in a hotel, you have to put a lot of trust into the hotel and the hotel company before you make that decision. And that trust extends to the information that you give them to make it possible for you to stay in that hotel. Our whole business is based on trust. So we take the safety and the protection of our customers as seriously as it can be taken.

InformationWeek: Any other thoughts on the incident?

Gibson: One incident like this is one too many. What we know today about what happened is precisely what we knew on Friday. The story that came out over the weekend was a tremendous shock to us. Almost as soon as this was reported to us by the journalist, we understood what had happened, we knew what the extent of it was, we knew who was impacted by it. We were taking the appropriate action. The only thing that has changed since that date is there has been a lot of wild speculation about what has happened, but we have even more confidence about what happened since Friday.

There is one thing I'd like to add. I said earlier that we had reported the incident to the FBI and brought them into the investigation. The FBI at this point has decided not to pursue an investigation, and they've made that decision on seeing no evidence of a crime of [the magnitude claimed by The Herald].