Dispute the depth of the breach is an understatement. A Best Western spokeswoman just issued a statement to InformationWeek stating that the breach, so far, has only been confirmed to involve 13 guests at a single hotel.If this turns out to be the scope of the breach, that's certainly great news, and nowhere near the 8 million suspected identities placed at risk to theft as was previously reported. Of course, the investigation into what, exactly, the alleged attacker was able steal is still under way. Below is the relevant part of the statement, issued just minutes ago, and is much closer to how Best Western probably should have responded immediately following its learning of the incident:
We continue to learn more about the alleged data security breach issue and will release an updated statement with more detail later today.
In the meantime, we want to let you know the following: There was one instance of suspicious activity at a single hotel with respect to 13 guests, who are being notified. We are working with the FBI and international authorities to investigate the source of the other claims, which were never presented to us for investigation prior to publication of the Herald story. We have found no suspicious activity to support them.
This quote, from this newspaper, certainly did not help calm the nerves of any customers who have recently visited a Best Western in Europe:
Tim Wade, head of marketing for Best Western GB, said it was "unlikely" that whoever was responsible got hold of the details of "every booking at every hotel" in Europe because of the way their system worked.
InformationWeek's original post on the incident is here.
Best Western's initial follow-up statement can be found in this post.
InformationWeek will update the status of the alleged breach as new information warrants.