Best Western Loses Details On 8 Million Customers

Albanach writes "Scotland's Sunday Herald newspaper has an exclusive report that the Best Western hotel chain has lost the personal details of each and every guest who has stayed at any of its 1300 hotels in the past 12 months. This amounts to details on 8 million customers and includes information such as name, address, credit card details and employment details. The data even includes future booking details, causing speculation that homes could be targeted for burglary when it's anticipated they will be unoccupied. A Best Western spokesperson is quoted as saying 'Best Western took immediate action to disable the compromised log-in account in question. We are currently in the process of working with our credit card partners to ensure that all relevant procedural standards are met, and that the interests of our guests are protected.'"

What is a continental hotel?

[Renegade+Lisp]

The Sunday Herald article is amazingly unclear about the scope of this breach. Which hotels are affected? The article says all "continental hotels". Does that, from a British Newspaper, mean european continental hotels only?

I stayed at Best Western in the US late last year. Luckily, I have since then changed to a different credit card than the one I used at the time.

The last time when a company I did business with lost my credit card details, I decided I wouldn't do anything about it until I really saw an unauthorized withdrawal from my account. Because in the past, when there was an unauthorized withdrawal (only happened to me once), a single phone call to the credit card company had been enough to get my money back (some 300 Euro). They said they would start to investigate it, but because it could take a long time, "here's your money back as a first measure."

With the recently stolen card info, I got a notice from my bank a few months later that they had to disable my card because there was an attempt to commit fraud with it. I got a new card with no further action required on my part.

Either way, this could turn out to be a big hassle for Best Western. If only they could let me know if my personal data was affected.

Re:What is a continental hotel?

[Carewolf]

Well for brits, Continental means European except British.

Re:What is a continental hotel?

[Renegade+Lisp]

Replying to myself, I just checked Wikipedia. Best Western has 4,000 hotels world-wide, 2,000 of which in North America. This means that the 1,312 hotels affected are probably all in continental Europe.

Re:What is a continental hotel?

[sticky_charris]

We British do consider ourselves to be European. A minority of xenophobes in Britain consider themselves not to be European (or realise they are and would prefer not to be) and an even smaller number don't even consider themselves (or want to be) part of Britain - they are Scottish, Irish, Welsh or English in their eyes. I consider myself Scottish, British and European, and almost everyone I have met with an intelligence regard themselves in the same way.

Bad Summary

[telchine]

The summary is misleading:

The details wern't "Lost", the server was comprimised and they were stolen.

This doesn't affect all Best Western hotels, just some European ones.

The details stolen are from 2007-2008 (up to 20 months)

Re:Bad Summary

[ralphdaugherty]

This whole thing is very confusing to make sense of, starting with British writers that write like the National Enquirer.

Starting at the beginning, from TFA, someone from India "planted a trojan virus on one of the [continental] Best Western Hotel machines used for reservations" collecting the username and login of a staff person's login.

So what does that give them? A log in to the Best Western reservations system. Gee, wonder how many people know that top secret info? Like every freakin Best Western counter clerk, for starters.

And then what does one do when logged in to a reservations system? They make reservations!!! Holy cow, that's top secret too.

So here's where it gets confusing. How does someone knowing the login to a reservations system, which is like everyone using it, allow anyone who's logged in to acquire the entire reservations history table?

If anyone can do it by selecting history on all or something, then any Best Western clerk could have retrieved all this info at any time just by logging in.

With the trojan virus hocus pocus talk, there is an implied possibility that the virus spread to the server which provided a back door to retrieve the info, but that isn't stated. What's stated is the that the trojan merely recorded a login and the Indian got it. We know that is what is happening in bot networks all over the world. It's just a matter of which logins get snapped up from an unsuspecting user.

So either any Best Western clerk could retrieve all reservation history including credt card info at any time, in which case the Indian might just as well worked for one, or there's an unspecified and unexplained access to the server that provided a backdoor FTP from the server.

One or the other, but if the first then it wouldn't be the greatest cyber-crime ever, it would be the worst reservation system server software in history.

If the second, again, a clerk could have copied a trojan virus file from a floppy to the reservations PC and logged in, doesn't require a "hacker" at all.

My guess from the frenzied journalism is that a reservations clerk login is all it took rather than hoping the trojan virus could both capture the login and then also migrate successfully to the server, which trojans generally aren't multi-OS aware and assuming the server was the same OS, migrated with standard trojan attack vectors for the OS. I find that hard to believe though.

I also wonder whether there were any confirmed sightings of the info being offered in criminal forums by any of these quoted security experts or just how it came to be known that the entire reservations history table has been downloaded by anyone who acquired the reservations system login from the Indian.

Gee, having a Best Western reservations system login being the cyber-crime of the century is the goofiest thing I've seen since the last /. debacle thread, and we don't have to go too far back to find one.

  rd

How much has to happen 'til we see consequences?

[Opportunist]

We're getting "anti-terror" laws that cut away our civil liberties piece by piece, despite little to no terrorist activity anywhere. Yet we have "data loss" on an almost weekly base and nothing happens. Could anyone tell me why those companies are still in business? When did criminal neglect become less than a misdemeanor? Because, well, did you see anything happening out of it? I didn't.

These companies cause problems to their customers by their careless handling of personal and financial data. At the very least, they subject their customers to the threat that their credit card data is in the hands of a criminal, ready to use it whenever they please. When are we going to see some laws that mean consequences if you can't handle your customers' data?

Every company is very keen to collect everything about you, from your favorite dish to your shoe size, but they can't be bothered with the task to keep this information secure? If you can't keep info secure, don't collect it, dammit!

The problem here is more than data "loss".

[fuzzyfuzzyfungus]

The issue is not so much that the data were stolen, though obviously that is bad; but that the hotel made it worse by keeping data on hand that weren't necessary. "Employment details"? WTF? I recognize that certain data are unavoidable in such a system; but I would like to see substantially greater penalties for those who compromise customer data that they don't even have a good reason for keeping.

Incidentally, when did we start using the term "lose" as a polite synonym for "fuck up in fine style"?

Re:PARDON?

[AK+Marc]

Don't rush to judgements without the facts being in. Its entirelly possible from what was posted there that a single employee did something bad, not that the whole organization was negligent.

If you can break one account and download millions of records before anyone notices and you allow all that anonymously over the Internet, then I'd say there are some systemic problems. That is by far the easiest way to do it, but also the least secure. If any single user account gets hacked, the entire database is open for quick and easy download. But, if you had people go through a front-end that only fed one record at a time, logged all records presented to which accounts, froze the account at more than 10 records per minute or 100 in a day (or whatever number works) then you could make a system that would still allow for a user that gives away his username and password and not make millions of records available for immeditate download. And even if it did happen, you'd have an exact record of every record touched, to limit exposure and damages (no one claiming they were affected when they weren't).

Compartmentalization is important for security, but never done because it is often inconvenient for the users. The trick is to fine for just the loss of records, something like $10 per record exposed, so that they will treat them like real money, not just a PR issue if things go wrong. The current method of them paying only with proof of damages to a person, or buying a credity watch for a year (probably at some obscenely discounted rate and gets you on the credit report company's mailing list) is a joke. Make it cost real money and you'll see more lying about when they do happen and more security to prevent them from happening.

Even if you have separation of powers you are still vulnerable. Suppose the DBA and the System Admin are different people. Maybe the DBA keeps things locked up tight and the database itself is encrypted. The system admin can still just sit and read memory all day and collect the info that way. I used to do this in school. Some of us had shell accounts in the comp sci dept. I never had to "break" or get elevated privilages past any security but I could collect lots of interesting information by running a little C program I wrote which allocated a big character array, did not initialize it and then wrote the contents to disk every few moments, lather rinse repeat.

Or, they give full read access to everyone so that some accountant somewhere has an easier time setting up Crystal Reports to run a monthly report. You don't need high level access to compromise the data. Even the lowest read-only access will expose every record in it.