Hackers breach Best Western in data heist
/v3-uk/news/2008631/hackers-breach-best-western-heist
25 Aug 2008, Iain Thomson , V3
Hackers have broken into the corporate databases for Best Western Hotels and may have stolen the names, addresses and credit card information of every customer who stayed with the international group since 2007.
An investigation by the Sunday Herald found that an unknown Indian hacker got into Best Western’s databases on Thursday and accessed its databases, which contain the names, addresses, credit card numbers and additional customer’s information of people who have used the chain internationally.
"Best Western took immediate action to disable the compromised log-in account in question. We are currently in the process of working with our credit card partners to ensure that all relevant procedural standards are met, and that the interests of our guests are protected," said a spokesman.
"We continue to investigate the root cause of the issue, including, but not limited to, the third-party website that has allegedly facilitated this illegal exchange of information."
The data on how to get into the database was apparently provided by an Eastern European hacking group and although the security hole the hacker used has now been closed the potential losses to customers could be huge.
It seems the hacker managed to insert a Trojan into the computers of a hotel and logged the user name and password of someone with sufficient security clearance to gain access to corporate servers.
The attack came to light after the company’s database was put up for sale on a sales board for such data.
"They've pulled off a masterstroke here," said security expert Jacques Erasmus, an ex-hacker who now works for the computer security firm Prevx.
"There are plenty of hacked company databases for sale online but the sheer volume and quality of the information that's been stolen in the Best Western raid makes this particularly rare. The Russian gangs who specialise in this kind of work will have been exploiting the information from the moment it became available late on Thursday night. In the wrong hands, there's enough data there to spark a major European crime wave."
© Incisive Media Investments Limited 2010, Published by Incisive Financial Publishing Limited, Haymarket House, 28-29 Haymarket, London SW1Y 4RX, are companies registered in England and Wales with company registration numbers 04252091 & 04252093
Do you agree?
Best Western press-statement
This statement is intended to provide further detail on the largely erroneous story originated by The Sunday Herald newspaper in Scotland, concerning the breach of Best Western?s Central Reservations System.
We can confirm that on August 21, 2008, three separate attempts were made via a single log-on ID to access the same data from a single hotel. The hotel in question is the 107-room Best Western Hotel am Schloss Kopenick in Berlin, Germany, where a Trojan horse virus was detected by the hotel?s anti-virus software. The compromised log-in ID permitted access to reservations data for that property only. The log-in ID was immediately terminated, and the computer in question has been removed from use.
We can also confirm that we have been able to narrow down the number of customers affected by this breach to ten. We are currently contacting those customers and offering assistance as needed.
We are working with the FBI and international authorities to investigate further.
Points of note:
? The compromised user ID permitted access only to the reservations at a single hotel, and there is no evidence of unauthorized access to data for any other Best Western hotel.
? Best Western purges reservations data within seven days of guest departure, thereby limiting potential data exposure to (1) guests who departed up to one week prior to the exposure; (2) current guests; and (3) future guests of that particular hotel.
? There is no evidence of any unauthorized access to any other customer data.
In the day-to-day conduct of our business, we comply with the Payment Card Industry (PCI) Data Security Standards (DSS). To maintain that compliance, Best Western maintains a secure network protected by firewalls and governed by a strong information security policy. We regularly test our systems and processes in an effort to protect customer information, and employ the services of industry-leading third-party firms to evaluate our safeguards. We also delete credit card information and all other personal information upon guest departure.
Given the nature of IT security, absent evidence of actual attempts to enter our system without authorization, Best Western?s highest level of response must consist of the following: (1) to continue to monitor for such activity; (2) to assist law enforcement authorities and our credit card partners with their investigation; (3) to amplify our already stringent data security regime, which is of course compliant with PCI standards; (4) to reinforce best data protection practices at our 4000 worldwide hotels. We are actively engaged in all four of these areas, on behalf of our valued customers and member hotels.
We will release other critical information as it becomes available. Customers with concerns are encouraged to call Best Western Customer Care at US 800-528-1238.
Posted by Anke Cimbal, 26 Aug 2008