informa
/
Risk
News

Best Western Denies Report of Massive Data Breach

Scottish newspaper says flaw exposed personal records of 8M hotel chain customers since 2007; Best Western says report is 'grossly unsubstantiated'

A Scottish newspaper Friday ran a story that claimed to uncover a massive theft of data from Best Western's customer database, including personal information on all 8 million customers at the chain's 1,300 hotels in the past year.

After initially thanking the newspaper and doing its own investigation, however, the hotel chain now says The Sunday Herald's report of a massive breach at Best Western is "grossly unsubstantiated."

In its report, The Sunday Herald stated that "a previously unknown Indian hacker successfully breached the IT defenses of the Best Western Hotel Group's online booking system and sold details of how to access it through an underground network operated by the Russian mafia." The newspaper called the attack "the greatest cyber-heist in world history," alleging that it "scooped up the personal details of every single customer that has booked into one of Best Western's 1,312 continental hotels since 2007."

The newspaper stated that Best Western officials thanked it for discovering the breach and immediately closed the security hole by Friday afternoon. "Best Western took immediate action to disable the compromised login account in question," a hotel spokesman told the paper on Friday. "We continue to investigate the root cause of the issue, including, but not limited to, the third-party Website that has allegedly facilitated this illegal exchange of information."

Last night, however, Best Western stated that its own investigation indicates that only about 13 customers are at risk, not 8 million.

"The Sunday Herald reporter brought to our attention the possible compromise of a select portion of data at a single hotel; we investigated immediately and provided commentary," the hotel chain said in a statement following its investigation of the breach.

"Best Western would have welcomed the opportunity to fact check the story, which would have resulted in more accurate and credible reporting on the part of the newspaper," the hotel chain said. "We have found no evidence to support the sensational claims ultimately made by the reporter and newspaper."

While the newspaper report claims the compromise of data occurred for past guests from as far back as 2007, "Best Western purges all online reservations promptly upon guest departure," as required by Payment Card Industry (PCI) Data Security Standards (DSS) specifications, the hotel chain stated.

As of this posting, The Sunday Herald has not responded to the Best Western statement, and the breach story remains at the top of its online news site.

The newspaper's account of the attack stated that "although the nature of Internet crime makes it extremely difficult to track the precise details of the raid, The Sunday Herald understands that a hacker from India -- new to the world of cyber-crime -- succeeded in bypassing the system's security software and placing a Trojan virus on one of the Best Western Hotel machines used for reservations. The next time a member of staff logged in, her username and password were collected and stored.

"The stolen login details were then put up for sale and shared on an underground Website operated by a notorious branch of the Russian mafia, which specializes in Internet crime," the newspaper continued. "Once the information was online, experts estimate that it would take less than an hour to write and run a software bot' -- a simple computer program -- capable of harvesting every record on Best Western's European reservation system."

In an email about the breach, a Best Western spokesman said: "There was one instance of suspicious activity at a single hotel with respect to 13 guests, who are being notified. We are working with the FBI and international authorities to investigate the source of the other claims, which were never presented to us for investigation prior to publication of The Herald story. We have found no suspicious activity to support them."

The hotel chain said it will post further details on the breach as its investigation continues.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5