Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Best Western Denies Report of Massive Data Breach

Scottish newspaper says flaw exposed personal records of 8M hotel chain customers since 2007; Best Western says report is 'grossly unsubstantiated'

A Scottish newspaper Friday ran a story that claimed to uncover a massive theft of data from Best Western's customer database, including personal information on all 8 million customers at the chain's 1,300 hotels in the past year.

After initially thanking the newspaper and doing its own investigation, however, the hotel chain now says The Sunday Herald's report of a massive breach at Best Western is "grossly unsubstantiated."

In its report, The Sunday Herald stated that "a previously unknown Indian hacker successfully breached the IT defenses of the Best Western Hotel Group's online booking system and sold details of how to access it through an underground network operated by the Russian mafia." The newspaper called the attack "the greatest cyber-heist in world history," alleging that it "scooped up the personal details of every single customer that has booked into one of Best Western's 1,312 continental hotels since 2007."

The newspaper stated that Best Western officials thanked it for discovering the breach and immediately closed the security hole by Friday afternoon. "Best Western took immediate action to disable the compromised login account in question," a hotel spokesman told the paper on Friday. "We continue to investigate the root cause of the issue, including, but not limited to, the third-party Website that has allegedly facilitated this illegal exchange of information."

Last night, however, Best Western stated that its own investigation indicates that only about 13 customers are at risk, not 8 million.

"The Sunday Herald reporter brought to our attention the possible compromise of a select portion of data at a single hotel; we investigated immediately and provided commentary," the hotel chain said in a statement following its investigation of the breach.

"Best Western would have welcomed the opportunity to fact check the story, which would have resulted in more accurate and credible reporting on the part of the newspaper," the hotel chain said. "We have found no evidence to support the sensational claims ultimately made by the reporter and newspaper."

While the newspaper report claims the compromise of data occurred for past guests from as far back as 2007, "Best Western purges all online reservations promptly upon guest departure," as required by Payment Card Industry (PCI) Data Security Standards (DSS) specifications, the hotel chain stated.

As of this posting, The Sunday Herald has not responded to the Best Western statement, and the breach story remains at the top of its online news site.

The newspaper's account of the attack stated that "although the nature of Internet crime makes it extremely difficult to track the precise details of the raid, The Sunday Herald understands that a hacker from India -- new to the world of cyber-crime -- succeeded in bypassing the system's security software and placing a Trojan virus on one of the Best Western Hotel machines used for reservations. The next time a member of staff logged in, her username and password were collected and stored.

"The stolen login details were then put up for sale and shared on an underground Website operated by a notorious branch of the Russian mafia, which specializes in Internet crime," the newspaper continued. "Once the information was online, experts estimate that it would take less than an hour to write and run a software bot' -- a simple computer program -- capable of harvesting every record on Best Western's European reservation system."

In an email about the breach, a Best Western spokesman said: "There was one instance of suspicious activity at a single hotel with respect to 13 guests, who are being notified. We are working with the FBI and international authorities to investigate the source of the other claims, which were never presented to us for investigation prior to publication of The Herald story. We have found no suspicious activity to support them."

The hotel chain said it will post further details on the breach as its investigation continues.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11674
PUBLISHED: 2019-10-22
Man-in-the-middle vulnerability in Micro Focus Self Service Password Reset, affecting all versions prior to 4.4.0.4. The vulnerability could exploit invalid certificate validation and may result in a man-in-the-middle attack.
CVE-2019-12967
PUBLISHED: 2019-10-22
Stephan Mooltipass Moolticute through 0.42.1 (and possibly earlier versions) has Incorrect Access Control.
CVE-2019-17189
PUBLISHED: 2019-10-22
totemodata 3.0.0_b936 has XSS via a folder name.
CVE-2019-4523
PUBLISHED: 2019-10-22
IBM DB2 High Performance Unload load for LUW 6.1 and 6.5 is vulnerable to a buffer overflow, caused by improper bounds checking which could allow a local attacker to execute arbitrary code on the system with root privileges. IBM X-Force ID: 165481.
CVE-2019-17424
PUBLISHED: 2019-10-22
A stack-based buffer overflow in the processPrivilage() function in IOS/process-general.c in nipper-ng 0.11.10 allows remote attackers (serving firewall configuration files) to achieve Remote Code Execution or Denial Of Service via a crafted file.