Best Western Loses Details On 8 Million Customers

Albanach writes "Scotland's Sunday Herald newspaper has an exclusive report that the Best Western hotel chain has lost the personal details of each and every guest who has stayed at any of its 1300 hotels in the past 12 months. This amounts to details on 8 million customers and includes information such as name, address, credit card details and employment details. The data even includes future booking details, causing speculation that homes could be targeted for burglary when it's anticipated they will be unoccupied. A Best Western spokesperson is quoted as saying 'Best Western took immediate action to disable the compromised log-in account in question. We are currently in the process of working with our credit card partners to ensure that all relevant procedural standards are met, and that the interests of our guests are protected.'"

Re:What is a continental hotel?

[jrothwell97]

From a British newspaper, yes, 'continental' means 'European', as in a 'continental breakfast'.

Bad Summary

[telchine]

The summary is misleading:

The details wern't "Lost", the server was comprimised and they were stolen.

This doesn't affect all Best Western hotels, just some European ones.

The details stolen are from 2007-2008 (up to 20 months)

Re:Bad Summary

[rampant+poodle]

Lots of good points here. I have work with the same type of reservations system. A front desk clerks credentials could indeed be used to extract the data -- calling up one record at a time. (On versions released in the past five years all but the last 4 numbers of the CCN are masked so they still would not have everything they might want.)

A front desk clerk with way too many permissions, working knowledge of Oracle, and a DB password might be more efficient at stealing information.

Have not been able to find much information on this case yet. Have a feeling that the user level account info was merely the point of entry. There are also some very real Oracle issues and vulnerabilities with the system in question. Yes I am intentionally obfuscating at this point.

As an aside: The online reservation system stores no data. It sits in a DMZ, serves web pages, and uses PL_SQL, (or similar), to talk to a database server. If properly setup and configured it provides good protection to the internal DB server.

Re:What is a continental hotel?

[Carewolf]

Well for brits, Continental means European except British.

Re:What is a continental hotel?

[Renegade+Lisp]

Replying to myself, I just checked Wikipedia. Best Western has 4,000 hotels world-wide, 2,000 of which in North America. This means that the 1,312 hotels affected are probably all in continental Europe.

Re:What is a continental hotel?

[yoghurt]

No, jrothwell97 is right. The British do not consider themselves to be European. My British SO's family get indignant when you say they are Europeans. Thus, for the British, Continental is European.

The Swedes, on the other hand, do consider themselves European, but not continental (despite the Scandinavian peninsula being attached through Finland to Russia).

Re:PARDON?

[DarkOx]

Fine, but if the company did its due dilligence, like say priviliged IT works were promoted from with in after long periods of honest work, or new people were given careful background checks, then its sort of unfair to blame the company

Its clear whoever did this was found and disabled quickly so they do keep logs and somebody must be auditing those logs.

That is all that can reasonably be dones about your top level IT admin staff. Beyond that you create policy that says hey you have to ask someone from executive management before you do this and that, which is all well and good but in the end those people still have access and can simply not follow the policy if they are doing something with mal intent.

If it turns out to be something like that I really doubt the organization will be criminally liable. Someone my extract civil damages but I don't any criminal penalty would stick to the organization at as a whole.

Why give your home address ?

[Alain+Williams]

causing speculation that homes could be targeted for burglary when it's anticipated they will be unoccupied.

I always give the hotel a business address - like that some criminal does not know where to go while I am at the hotel. I do the same with labels attached to luggage when flying. I have done this for years.

When will people learn to give the minimum of personal information that is absolutely necessary ?

Fact, Fact and more Facts

[NZheretic]

From the article:

... the Sunday Herald understands that a hacker from India - new to the world of cyber-crime - succeeded in bypassing the system's security software and placing a Trojan virus on one of the Best Western Hotel machines used for reservations. The next time a member of staff logged in, her username and password were collected and stored.

"Large corporate companies rely on anti-virus products to protect their infrastructure, but the problem with this approach is that these products only detect around 60% of threats out there. In the right hands, viruses can easily bypass these programs, as was the case here," explained Erasmus.

Those Large corporate companies rely on anti-virus products to protect Microsoft OS desktops. There is no equivalent Linux plague of viruses in the wild to be concerned about. Even the threat to MacOSX based desktops systems is minute in comparison to the Millions of Microsoft-targeting virus out in the wild.

Microsoft's most widely deployed platform and applications have not been secured. The XP platform has still has 30 unpatched vulnerabilities, the latest version of Internet Explorer still has 10 unpatched vulnerabilities, and Outlook 2003 ( the most widely deployed business version of Outlook ) still has one vulnerability outstanding from . Microsoft Office 2003, still the most widely deployed version of Office, has four outstanding vulnerabilities which put the desktop at high risk of being infected. These are all unpatched widely known vulnerabilities, and are only the ones in Microsoft's own product, not to mention all the third party vulnerabilities, in downloadable codecs for example, that the design of Microsoft's platforms makes it so easy for crackers to exploit.

In comparison, all of the major Linux based distros have an excellent record of closing known vulnerabilities within days if not hours, before the holes get a chance to be exploited. Also SELinux is becoming more widely deployed to secure applications against such threats.

Fact: Using a Microsoft based desktop put you a far high risk of being hack than either a Linux or Mac based desktop.

Re:PARDON?

[rapiddescent]

Criminally negligent is a very serious allegation you are making . I can not understate that.

it's easy. Europe, and member states have strict data protection laws, Best Western have broken more than one. Certainly, in the UK directors of a company are responsible for data protection and could be criminally responsible - although this has not been tested in court.

Also, I think Best Western will certainly be having uncomfortable discussions with their merchant acquirers because Best Western have not met the terms in the acquirer contract to appli PCI DSS (Credit card security standards)

Certainly, I've worked in a few large organisations that have had to encrypt credit card data in databases so that members of staff may not see the data. if Best Western had done this, then the data would have been a bit more secure.

Re:What is a continental hotel?

[sticky_charris]

We British do consider ourselves to be European. A minority of xenophobes in Britain consider themselves not to be European (or realise they are and would prefer not to be) and an even smaller number don't even consider themselves (or want to be) part of Britain - they are Scottish, Irish, Welsh or English in their eyes. I consider myself Scottish, British and European, and almost everyone I have met with an intelligence regard themselves in the same way.

Re:Not a troll,

[tinkertim]

Microsoft's OS and applications also have the highest percentage of market share, hence if anyone seeking to compromise operating systems, it would be far more lucrative for them to do so with MS operating systems. Do you really believe that if Linux or OS X had 90% market share, they wouldn't be compromised?

That all depends on how well trained the employees of companies who use or administrate computers happen to be.

No matter the OS, someone opened a bad e-mail. Any employee working from home could have done that.

In this case, its probably more productive to put the application storing the information under a microscope rather than the underlying OS, at least to a degree.

Best Western Responds

[geeky+grrly]

Best Western responds: http://tinyurl.com/5863g8 Partial reprint, PR gobbledy gook removed: Posted 6:37 p.m. EDT Aug. 24, 2008 "The story printed in the Sunday, August 24, 2008, Glasgow Sunday Herald claiming a security breach of Best Western guest information is grossly unsubstantiated. Claims reported about our Central Reservations customer records are not accurate. [snip] The Sunday Herald reporter brought to our attention the possible compromise of a select portion of data at a single hotel [snip] We have found no evidence to support the sensational claims ultimately made by the reporter and newspaper. Most importantly, whereas the reporter asserted the recent compromise of data for past guests from as far back as 2007, Best Western purges all online reservations promptly upon guest departure. [snip] ...and again, we delete credit card information and all other personal information upon guest departure. SOURCE: Best Western International"