Best Western Disputes Breach

This past Sunday a paper in Glasgow accused Best Western of experiencing a website breach and losing 8 million records.

Marketwatch has printed a full response by the Hotel that disputes the claim:

We have found no evidence to support the sensational claims ultimately made by the reporter and newspaper.

Most importantly, whereas the reporter asserted the recent compromise of data for past guests from as far back as 2007, Best Western purges all online reservations promptly upon guest departure.

They point out that they are PCI compliant and were not invited to fact check the article before publication. The breach database still show 8mil.

The story in the paper seems so sensational it reads like a worthless tabloid. Perhaps on the next page they warn us about alien babies that look like Britney Spears?

…late on Thursday night, a previously unknown Indian hacker successfully breached the IT defences of the Best Western Hotel group’s online booking system and sold details of how to access it through an underground network operated by the Russian mafia.

It is a move that has been dubbed the greatest cyber-heist in world history.

[…]

“In the wrong hands, there’s enough data there to spark a major European crime wave.”

Sensational. Apparently someone in India managed to get a Best Western employee to install malware. The malware stole that users password. The password was then posted on an Internet site, where someone else decided to use it to login to the Best Western system and download customer records.

This is about as sophisticated as breaking into the ground floor of a hotel with a hammer.

There are a number of simple controls required by PCI that would have prevented the kid in India from getting to step one, let alone two. Let us hope that Best Western is as compliant as they say they are.

It will be interesting to see how things play out now that Best Western claims 13 guests are affected instead of the 8 million records first reported stolen.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.