Slashdot Mirror

← Back to Stories (view on slashdot.org)

Best Western Loses Details On 8 Million Customers

Posted by timothy on from the another-reason-to-hostel dept.

Albanach writes "Scotland's Sunday Herald newspaper has an exclusive report that the Best Western hotel chain has lost the personal details of each and every guest who has stayed at any of its 1300 hotels in the past 12 months. This amounts to details on 8 million customers and includes information such as name, address, credit card details and employment details. The data even includes future booking details, causing speculation that homes could be targeted for burglary when it's anticipated they will be unoccupied. A Best Western spokesperson is quoted as saying 'Best Western took immediate action to disable the compromised log-in account in question. We are currently in the process of working with our credit card partners to ensure that all relevant procedural standards are met, and that the interests of our guests are protected.'"

17 of 180 comments (clear)

  1. Not such a bad thing... by pppppppman · · Score: 2, Insightful

    I didn't see what the problem was, until it got the part of "compromised accounts", etc. I thought they just lost it, like a hard disk died or they shredded them accidentally. Took me until half the page until I realized they "lost" it to someone else

  2. Re:Greatest cyber-heist in world history by Swampash · · Score: 2, Insightful

    By definition, the "Greatest" cyber-heist is one that we don't know about, since its greatness inheres in the fact that it's undetectable.

  3. PARDON? by jrothwell97 · · Score: 3, Insightful

    'Best Western took immediate action to disable the compromised log-in account in question...

    WHAT? In that case, they haven't lost the data due to carelessness (which I can just about forgive)- they've failed to secure their systems, which is criminally negligent.

    --
    Those using pirated Tinysoft signatures(TM) are a real threat to society and should all be thrown in jail.
    1. Re:PARDON? by EdIII · · Score: 3, Insightful

      Criminally negligent is a very serious allegation you are making . I can not understate that.

      I highly doubt that the Best Western meets the standards for criminal negligence in this case. In fact, the article mentions that they deactivated the compromised security credentials of the employee in question immediately. That alone suggests that levels of security were present in their information systems. You would seem to suggest that the fact they did means the security did not exist, which is contradictory. The security existed, it was just bypassed or failed in some way. Failure does not automatically equal negligence.

      Remember, that criminal negligence is prosecuted by an attorney representing the state or the "people" which can result in jail time. There are several levels of criminal negligence. ALL of them involve the intent of the person(s) accused. In order to be criminally negligent a person would have to have knowledge that their actions (or lack of actions) would contribute to the harm of another. Furthermore, the reasonable person standards are also used. This reasonable person is appropriately informed, capable, aware of the law, and fair-minded. A reasonable person would have to conclude that the Best Western knew their security policies were inadequate and that there was a high probability that the sensitive information of their customers would be compromised in some way.

      I highly doubt that a reasonable person, which would most likely be a network administrator or somebody possessing the requisite skill sets, would conclude that the security measures were that inadequate and that the Best Western had knowledge of that fact. Logon credentials by itself suggest that.

      You should also know that to even consider criminal negligence, a crime must take place as a result of the negligence. Any culpability, or liability is related to those crimes only. The theft of the data is not a crime that could be considered either. It has to be a crime resulting from that criminal act. If I took my handgun and deliberately left it in the street and somebody picked it up and shot another person, that would be the situation I am referring too. So until it is proven that a suitably large number of customers were financially damaged to a large degree, criminal negligence would never even be discussed by any prosecutors in the first place. Considering the protections afforded to most credit card customers, the vast majority of all damage is going to be against the credit card companies anyways, so it would be up to them. It is far more likely that a civil suit will result from this, and only if the credit card companies believe they can construct a case that will convince a jury that negligence exists.

      Now if the Best Western made a habit out of keeping all the information in plain text files on shared network drives, on computers directly attached to the Internet, with no firewalls with full access permissions for anonymous people, then you would absolutely have a point.

      The reality of the situation suggests that they may have been negligent (doubtful), but to suggest jail time for those involved is a bit drastic, premature, and certainly not supported by the information we possess from this summary, let alone the whole article.

    2. Re:PARDON? by Wildclaw · · Score: 2, Insightful

      Considering the protections afforded to most credit card customers, the vast majority of all damage is going to be against the credit card companies anyways, so it would be up to them. It is far more likely that a civil suit will result from this, and only if the credit card companies believe they can construct a case that will convince a jury that negligence exists.

      The credit card companies trying to build a case of negilence???

      The whole idea of using number that you have to show to untrusted individuals to make a payment and which can be reused any number of times is negilent in itself.

      The sooner we get rid of credit card numbers the better.

    3. Re:PARDON? by AK+Marc · · Score: 4, Insightful

      Don't rush to judgements without the facts being in. Its entirelly possible from what was posted there that a single employee did something bad, not that the whole organization was negligent.

      If you can break one account and download millions of records before anyone notices and you allow all that anonymously over the Internet, then I'd say there are some systemic problems. That is by far the easiest way to do it, but also the least secure. If any single user account gets hacked, the entire database is open for quick and easy download. But, if you had people go through a front-end that only fed one record at a time, logged all records presented to which accounts, froze the account at more than 10 records per minute or 100 in a day (or whatever number works) then you could make a system that would still allow for a user that gives away his username and password and not make millions of records available for immeditate download. And even if it did happen, you'd have an exact record of every record touched, to limit exposure and damages (no one claiming they were affected when they weren't).

      Compartmentalization is important for security, but never done because it is often inconvenient for the users. The trick is to fine for just the loss of records, something like $10 per record exposed, so that they will treat them like real money, not just a PR issue if things go wrong. The current method of them paying only with proof of damages to a person, or buying a credity watch for a year (probably at some obscenely discounted rate and gets you on the credit report company's mailing list) is a joke. Make it cost real money and you'll see more lying about when they do happen and more security to prevent them from happening.

      Even if you have separation of powers you are still vulnerable. Suppose the DBA and the System Admin are different people. Maybe the DBA keeps things locked up tight and the database itself is encrypted. The system admin can still just sit and read memory all day and collect the info that way. I used to do this in school. Some of us had shell accounts in the comp sci dept. I never had to "break" or get elevated privilages past any security but I could collect lots of interesting information by running a little C program I wrote which allocated a big character array, did not initialize it and then wrote the contents to disk every few moments, lather rinse repeat.

      Or, they give full read access to everyone so that some accountant somewhere has an easier time setting up Crystal Reports to run a monthly report. You don't need high level access to compromise the data. Even the lowest read-only access will expose every record in it.

      --
      Learn to love Alaska
    4. Re:PARDON? by mpe · · Score: 2, Insightful

      Fine, but if the company did its due dilligence, like say priviliged IT works were promoted from with in after long periods of honest work, or new people were given careful background checks, then its sort of unfair to blame the company.

      None of these address the real issue of storing data for considerably longer than it was necessary. Including data which should only have been in the system for a matter of seconds and never written to any non volatile storage.

  4. This incident brought to you by Microsoft by toby · · Score: 2, Insightful

    bypassing the system's security software and placing a Trojan virus on one of the Best Western Hotel machines used for reservations

    We all know that's a very difficult attack when Windows is involved! Amazing cleverness here.

    --
    you had me at #!
  5. How much has to happen 'til we see consequences? by Opportunist · · Score: 4, Insightful

    We're getting "anti-terror" laws that cut away our civil liberties piece by piece, despite little to no terrorist activity anywhere. Yet we have "data loss" on an almost weekly base and nothing happens. Could anyone tell me why those companies are still in business? When did criminal neglect become less than a misdemeanor? Because, well, did you see anything happening out of it? I didn't.

    These companies cause problems to their customers by their careless handling of personal and financial data. At the very least, they subject their customers to the threat that their credit card data is in the hands of a criminal, ready to use it whenever they please. When are we going to see some laws that mean consequences if you can't handle your customers' data?

    Every company is very keen to collect everything about you, from your favorite dish to your shoe size, but they can't be bothered with the task to keep this information secure? If you can't keep info secure, don't collect it, dammit!

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  6. The problem here is more than data "loss". by fuzzyfuzzyfungus · · Score: 4, Insightful

    The issue is not so much that the data were stolen, though obviously that is bad; but that the hotel made it worse by keeping data on hand that weren't necessary. "Employment details"? WTF? I recognize that certain data are unavoidable in such a system; but I would like to see substantially greater penalties for those who compromise customer data that they don't even have a good reason for keeping.

    Incidentally, when did we start using the term "lose" as a polite synonym for "fuck up in fine style"?

  7. Re:Bad Summary by Anonymous Coward · · Score: 2, Insightful

    Yeah. Personally, I'd like it if more companies *actually lost* my personal information more often. As in, "oops, that personal information was irretrievably deleted."

  8. Not a troll, by NZheretic · · Score: 3, Insightful
    Not a troll!

    - The article states thats the passwords were leaked via a Microsoft desktop OS compromised by a password sniffing Trojan spread via a virus.
    - Microsoft's OS and applications are disproportional at a far greater risk of being compromised than any other platform. That is a fact!
    - Class action lawsuits are a valid method for the public to change the behavior of both large business and governmental agencies. For example, the EFF have been involved with many Class action lawsuits, to change the behavior of both business and governmental agencies.

    Microsoft has been hinting that organizations deploying Linux are at risk from Microsoft's so called patents, however those same Microsoft customers face a much greater risk and loss from compromised Microsoft desktop systems.

    And You Sir, are just another gutless Nym-shifing Microsoft Astroturd who is not even worth rating.

    1. Re:Not a troll, by jimicus · · Score: 2, Insightful

      There's nothing intrinsic to Linux which would prevent an application running as an unprivileged task in userland hooking into the desktop environment and passing keystrokes to an unknown outside attacker.

      I grant you, this hasn't happened yet. But there's little could prevent it.

      You could significantly reduce the risk, however, by reducing how much access each user has to various systems, firewalling between departments and blocking not just incoming traffic but also outgoing traffic at the border, only allowing known-good traffic to pass.

      This exact same technique works equally well regardless of what OS you use on the desktop ;)

  9. Why by geogob · · Score: 3, Insightful

    Most of the time, when I read a story along these lines (lost data, stolen data, client personal details incl. credit info), I have to ask myself "do they really need to archive all this data on their customers?"

  10. I always wondered... by hyades1 · · Score: 2, Insightful

    ...why the spokesdrones for so many major companies are allowed to spew the most outrageous bullshit ("We care about our staff"; "The privacy of our guests is our number one concern", etc.), and nobody in the mainstream press ever calls them on it.

    Even politicians, for whom lying is as easy and natural as breathing, are rarely so brazenly, in-your-face dishonest.

    --
    I've calculated my velocity with such exquisite precision that I have no idea where I am.
  11. Re:What is a continental hotel? by Anonymous Coward · · Score: 1, Insightful

    No, both are correct but Carewolf is the more accurate. "The continent" is a way to distinguish between all of Europe and the rest of Europe.

    FWIW, "Europe" can also refer to "the rest of Europe", though it requires more attention to context and therefore "continental" is preferred. "Continental Europe" is better still, but between Brits the context can render either word redundant.

    None of this has anything to do with whether Brits consider themselves European, which itself could have a multitude of meanings. If they're going so far as to be indignant, I suspect they're either xenophobes or, most likely, see the EU as meddling in British affairs.

    For what it's worth, the only Americans who will call themselves that are the ones who think you mean the USA, rather than the Americas.

  12. Re:Bad Summary by mpe · · Score: 2, Insightful

    Personally, I'd like it if more companies *actually lost* my personal information more often. As in, "oops, that personal information was irretrievably deleted."

    Or even as in they don't store personal information beyond the point when it is actually needed.
    All sorts of companies appear to treat infrequent, even "once only" customers as though they are frequent repeat customers. It simply dosn't make much sense for a hotel chain to do this. With the possible exception of big corporate customers, the typical customer simply does not use their facilities that often. There is simply no good reason to store credit card details after any transactions (including those related to theft from/damage to rooms) are completed.