This past Sunday a paper in Glasgow accused Best Western of experiencing a website breach and losing 8 million records.

Marketwatch has printed a full response by the Hotel that disputes the claim:

We have found no evidence to support the sensational claims ultimately made by the reporter and newspaper.

Most importantly, whereas the reporter asserted the recent compromise of data for past guests from as far back as 2007, Best Western purges all online reservations promptly upon guest departure.

They point out that they are PCI compliant and were not invited to fact check the article before publication. The breach database still show 8mil.

The story in the paper seems so sensational it reads like a worthless tabloid. Perhaps on the next page they warn us about alien babies that look like Britney Spears?

…late on Thursday night, a previously unknown Indian hacker successfully breached the IT defences of the Best Western Hotel group’s online booking system and sold details of how to access it through an underground network operated by the Russian mafia.

It is a move that has been dubbed the greatest cyber-heist in world history.

[…]

“In the wrong hands, there’s enough data there to spark a major European crime wave.”

Sensational. Apparently someone in India managed to get a Best Western employee to install malware. The malware stole that users password. The password was then posted on an Internet site, where someone else decided to use it to login to the Best Western system and download customer records.

This is about as sophisticated as breaking into the ground floor of a hotel with a hammer.

There are a number of simple controls required by PCI that would have prevented the kid in India from getting to step one, let alone two. Let us hope that Best Western is as compliant as they say they are.

It will be interesting to see how things play out now that Best Western claims 13 guests are affected instead of the 8 million records first reported stolen.

I have seen some people point out that the Hannaford CIO is pointing fingers at Microsoft. That is true, and he does not mince words about it. However, I do not think that detracts from his more important messages. First, he calls for an in-depth strategy and second he calls for end-to-end encryption. Both points are excellent advice, and the latter is why I have been working with the OASIS EKMI TC for several years — an extension of a project to build end-to-end encryption at West Marine back in 2004.

He finds particular fault in one aspect of the current PCI standard: “All debit- and credit-card transactions should be encrypted from end to end. That should be the minimum. It’s astonishing that isn’t the standard of PCI,” which only requires encryption when transmitting over a public network such as IP.

Right, although it requires encryption of the network as opposed to the card numbers themselves. The latter would be a more useful system as it would simplify internal monitoring for malicious traffic.

Homa’s key point is that most retailers handle security backwards: Don’t pour everything into protecting the front door. Assume they’ll get through and have a plan to control them once they’re inside.

[…]

Homa has his own strong security strategy, which seems to be a minority view. It’s futile, he said, to continually pour resources and time into securing the front door and windows of a house that is being relentlessly attacked by well-financed thieves with plenty of time. Instead of spending so much effort trying to keep the bad guys out, assume they’ll get in.

I do not think that is a minority view. That is the standard defense-in-depth approach and a best practice since the beginning of information security, let alone physical security.

The article really does not do Bill Homa any favors as it makes him look like he has gone off the handle about Microsoft. The author also points out that PCI auditors could be a risk too. All around pretty weak analysis, so probably not even worth a read, but I at least recognized that Homa has painted a picture of PCI security that many of us were advocating many years ago.

An amazing ststory has emerged in Canada where 35-year-old Timothy Moisan faced 14 years in jail for operating “a massive operation designed to steal people’s identities, con into their bank accounts, and steal their money”:

In the end, there’s no explanation about how the man behind one of the biggest identity theft rings ever in B.C. got off serving only six months plus a day. Critics say sentences like this will only bolster a growing epidemic.

Just the fact that the accused was in possession of “stacks of passports, driver’s licenses, and credit cards” as well as “reams of stolen mail” might suggest a significant penalty. Instead, he pleaded guilty and walked free, while thousands of people spend money and time to recover their stolen identity information.

The judge gave him a year in jail. But because he had spent six months in custody awaiting trial — time which is weighed twice because it’s before trial — he had effectively finished the sentence before it began.

Will Canada soon become a haven for ID theft operations? I wonder if someone could pursue Moisan under PIPEDA by complaining to the Office of the Privacy Commissioner of Canada, and then take him to Federal Court of Canada under section 14. Alternatively, perhaps he could be charged for each identity under Section 264. (1) of the Criminal Code for harassment, since it covers stealing mail and electronic identity theft. Maybe he already was charged and the judge really did not see any harm from ID theft…the kind of harm documented in the criminal code.