Best Western Denies Report of Massive Data BreachBest Western Denies Report of Massive Data Breach
Scottish newspaper says flaw exposed personal records of 8M hotel chain customers since 2007; Best Western says report is 'grossly unsubstantiated'
August 25, 2008
A Scottish newspaper Friday ran a story that claimed to uncover a massive theft of data from Best Western's customer database, including personal information on all 8 million customers at the chain's 1,300 hotels in the past year.
In its report, The Sunday Herald stated that "a previously unknown Indian hacker successfully breached the IT defenses of the Best Western Hotel Group's online booking system and sold details of how to access it through an underground network operated by the Russian mafia." The newspaper called the attack "the greatest cyber-heist in world history," alleging that it "scooped up the personal details of every single customer that has booked into one of Best Western's 1,312 continental hotels since 2007."
The newspaper stated that Best Western officials thanked it for discovering the breach and immediately closed the security hole by Friday afternoon. "Best Western took immediate action to disable the compromised login account in question," a hotel spokesman told the paper on Friday. "We continue to investigate the root cause of the issue, including, but not limited to, the third-party Website that has allegedly facilitated this illegal exchange of information."
Last night, however, Best Western stated that its own investigation indicates that only about 13 customers are at risk, not 8 million.
"The Sunday Herald reporter brought to our attention the possible compromise of a select portion of data at a single hotel; we investigated immediately and provided commentary," the hotel chain said in a statement following its investigation of the breach.
"Best Western would have welcomed the opportunity to fact check the story, which would have resulted in more accurate and credible reporting on the part of the newspaper," the hotel chain said. "We have found no evidence to support the sensational claims ultimately made by the reporter and newspaper."
While the newspaper report claims the compromise of data occurred for past guests from as far back as 2007, "Best Western purges all online reservations promptly upon guest departure," as required by Payment Card Industry (PCI) Data Security Standards (DSS) specifications, the hotel chain stated.
As of this posting, The Sunday Herald has not responded to the Best Western statement, and the breach story remains at the top of its online news site.
The newspaper's account of the attack stated that "although the nature of Internet crime makes it extremely difficult to track the precise details of the raid, The Sunday Herald understands that a hacker from India -- new to the world of cyber-crime -- succeeded in bypassing the system's security software and placing a Trojan virus on one of the Best Western Hotel machines used for reservations. The next time a member of staff logged in, her username and password were collected and stored.
"The stolen login details were then put up for sale and shared on an underground Website operated by a notorious branch of the Russian mafia, which specializes in Internet crime," the newspaper continued. "Once the information was online, experts estimate that it would take less than an hour to write and run a software bot' -- a simple computer program -- capable of harvesting every record on Best Western's European reservation system."
In an email about the breach, a Best Western spokesman said: "There was one instance of suspicious activity at a single hotel with respect to 13 guests, who are being notified. We are working with the FBI and international authorities to investigate the source of the other claims, which were never presented to us for investigation prior to publication of The Herald story. We have found no suspicious activity to support them."
The hotel chain said it will post further details on the breach as its investigation continues.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author(s)
Tricks to Boost Your Threat Hunting GameNov 06, 2023
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
Passwords Are Passe: Next Gen Authentication Addresses Today's Threats
How to Deploy Zero Trust for Remote Workforce Security
What Ransomware Groups Look for in Enterprise Victims
Everything You Need to Know About DNS Attacks
How Enterprises Are Managing Application Security Risks in a Heightened Threat Environment