Slashdot Mirror
Best Western Loses Details On 8 Million Customers
Albanach writes "Scotland's Sunday Herald newspaper has an exclusive report that the Best Western hotel chain has lost the personal details of each and every guest who has stayed at any of its 1300 hotels in the past 12 months. This amounts to details on 8 million customers and includes information such as name, address, credit card details and employment details. The data even includes future booking details, causing speculation that homes could be targeted for burglary when it's anticipated they will be unoccupied. A Best Western spokesperson is quoted as saying 'Best Western took immediate action to disable the compromised log-in account in question. We are currently in the process of working with our credit card partners to ensure that all relevant procedural standards are met, and that the interests of our guests are protected.'"
The Sunday Herald article is amazingly unclear about the scope of this breach. Which hotels are affected? The article says all "continental hotels". Does that, from a British Newspaper, mean european continental hotels only?
I stayed at Best Western in the US late last year. Luckily, I have since then changed to a different credit card than the one I used at the time.
The last time when a company I did business with lost my credit card details, I decided I wouldn't do anything about it until I really saw an unauthorized withdrawal from my account. Because in the past, when there was an unauthorized withdrawal (only happened to me once), a single phone call to the credit card company had been enough to get my money back (some 300 Euro). They said they would start to investigate it, but because it could take a long time, "here's your money back as a first measure."
With the recently stolen card info, I got a notice from my bank a few months later that they had to disable my card because there was an attempt to commit fraud with it. I got a new card with no further action required on my part.
Either way, this could turn out to be a big hassle for Best Western. If only they could let me know if my personal data was affected.
From TFA:
This sounds a bit exaggerated to me. Greatest Cyber-Heist? WHat's the odds they just hadn't bothered to encrypted the details or had done something silly with the encryption keys?
If a business or government body is not taking due care with the private information they hold on the public which could lead to identity theft then they are at risk of being sued.
Get copies of the antivirus scanner logs from any business or governmental for their desktops and laptops. You will have a large list of all the malware that was cleaned up post infection. That malware was actually executed and run on the same computers handling your sensitive data. Some of that malware even exploited vulnerabilities in Microsoft applications and operating system prior to an update fix being made available by Microsoft.
In comparison to any MacOSX or Linux based desktop, Microsoft's desktop operating systems and Microsoft's desktop applications face a disproportionate higher risk of being "infected" with hostile malware. Just relying on third party antivirus software to prop up a Microsoft flagging security record in no way puts you any closer to the level of security that a switch to another vendors desktop platform can provide. ( Just updating to Vista is no guarantee of better security in comparison to another vendors platform )
A business or government body is not taking due care with the private information they hold on the public if they continue to use Microsoft desktop OS environments or Microsoft desktop applications. That is your credit card data, banking details , health care info and social security information. If switching to Linux or MacOSX based desktops would greatly reduce the risk of further intrusion why should not organizations be "encouraged" to make the move.
If anyones customers are at greater risk of being sued for using a vendors product it is Microsoft's own customers.
From here :
Unlike other chains, which are often a mix of company-owned and franchised units, each Best Western hotel is an independently owned and operated franchise. Best Western does not offer franchises in the traditional sense (where both franchisee and franchisor are operating for-profit), however. Rather, Best Western operates as a nonprofit membership association, with each franchisee acting and voting as a member of the association.
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
they've failed to secure their systems
Best Western took immediate action to disable the compromised log-in account in question...
Don't rush to judgements without the facts being in. Its entirelly possible from what was posted there that a single employee did something bad, not that the whole organization was negligent. In most computer systems you utimately have to have someone or a small group of people that are "root". Some account has to have the authority to do just about anything to the system in case it needs to be fixed, in a hurry.
Maybe a priniciple DBA decided to join the mob in this case who knows?
Even if you have separation of powers you are still vulnerable. Suppose the DBA and the System Admin are different people. Maybe the DBA keeps things locked up tight and the database itself is encrypted. The system admin can still just sit and read memory all day and collect the info that way. I used to do this in school. Some of us had shell accounts in the comp sci dept. I never had to "break" or get elevated privilages past any security but I could collect lots of interesting information by running a little C program I wrote which allocated a big character array, did not initialize it and then wrote the contents to disk every few moments, lather rinse repeat.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
"What of the risk to Microsoft's own customers from continuing to use Microsoft's demonstratively more insecure products?"
..
Yea, what imdemnification does the software provider give to the end user in such an eventuality. I mean, after all, they do imdemnify you against getting sued (by who), as long as you use a 'covered' product
davecb5620@gmail.com
.. get new credit cards every half year or so. You're not charged for the change, it secures any leakage you may have left behind and it ensures that data theft isn't a problem. If you think 6 months is too long (you could be travelling a lot), do it more often. And it means costs for the credit card company so maybe they start to come up with a better approach (or pass teh costs to the failing merchants, also a good incentive IMHO).
Personally, I'm waiting until one of the token manufacturers gets a deal with VISA and Mastercard. After all, a credit card is but a reference number to the contract you have with a credit card provider, and a token can do that just as well. But it could change the static challenge-response PIN with something smarter, and some tokens I've seen are even capable of working securely over a standard web browser.
Let me translate that last one for you: no more "secure" terminals needed (which is where some hacks now happen), using a token could be as simple as integrating an iframe right into the POS display. Also means safer shopping at home, btw.
And the technology exists already - it's just a matter of reaching the point where fraud is more costly than fixing the problem. Not needing secure terminals could mean that point is reached a lot earlier that originally thought. We're talking months here IMHO, followed by a few years while the terminals are phased out.
Insert
Best Western wasn't deprived of their backups, were they? So by famous Slashdot Meme-Think, the info "wasn't stolen", it was "infringed"!
Since people don't make money by selling their personal details anymore, you can always go to their houses for live performances!
Since the "making available" theory is in trouble these days, we look for actual proof of data download... which we have, right? Then can we get the FBI to go after these guys for statutory damages of 3*$1*8M = $24 Million? (Because many songs have shorter lyrics than what a hotel collects)
Grand Theft Prosection FTW!
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
This whole thing is very confusing to make sense of, starting with British writers that write like the National Enquirer.
Starting at the beginning, from TFA, someone from India "planted a trojan virus on one of the [continental] Best Western Hotel machines used for reservations" collecting the username and login of a staff person's login.
So what does that give them? A log in to the Best Western reservations system. Gee, wonder how many people know that top secret info? Like every freakin Best Western counter clerk, for starters.
And then what does one do when logged in to a reservations system? They make reservations!!! Holy cow, that's top secret too.
So here's where it gets confusing. How does someone knowing the login to a reservations system, which is like everyone using it, allow anyone who's logged in to acquire the entire reservations history table?
If anyone can do it by selecting history on all or something, then any Best Western clerk could have retrieved all this info at any time just by logging in.
With the trojan virus hocus pocus talk, there is an implied possibility that the virus spread to the server which provided a back door to retrieve the info, but that isn't stated. What's stated is the that the trojan merely recorded a login and the Indian got it. We know that is what is happening in bot networks all over the world. It's just a matter of which logins get snapped up from an unsuspecting user.
So either any Best Western clerk could retrieve all reservation history including credt card info at any time, in which case the Indian might just as well worked for one, or there's an unspecified and unexplained access to the server that provided a backdoor FTP from the server.
One or the other, but if the first then it wouldn't be the greatest cyber-crime ever, it would be the worst reservation system server software in history.
If the second, again, a clerk could have copied a trojan virus file from a floppy to the reservations PC and logged in, doesn't require a "hacker" at all.
My guess from the frenzied journalism is that a reservations clerk login is all it took rather than hoping the trojan virus could both capture the login and then also migrate successfully to the server, which trojans generally aren't multi-OS aware and assuming the server was the same OS, migrated with standard trojan attack vectors for the OS. I find that hard to believe though.
I also wonder whether there were any confirmed sightings of the info being offered in criminal forums by any of these quoted security experts or just how it came to be known that the entire reservations history table has been downloaded by anyone who acquired the reservations system login from the Indian.
Gee, having a Best Western reservations system login being the cyber-crime of the century is the goofiest thing I've seen since the last /. debacle thread, and we don't have to go too far back to find one.
rd
I consulted briefly for Best Western in the US several years ago. I have also worked for a couple of other similar hotel chains for several years. I can tell you that at the time BW was years behind the other chains, and I would assume nothing has changed since then. They wasted millions of dollars on system upgrades that went nowhere, and since I left they have apparently offshored nearly all IT.
It is reasonably safe to assume that they only 'lost' European customer info from the numbers of hotels listed.