Feeds

Fog of attack clouds Best Western hack

Are you local? Really?

Remote control for virtualized desktops

Analysis Conflicting claims by Best Western and Glasgow's Sunday Herald over the scope of a recent security breach have been put under the microscope by security watchers. The paper claims that eight million records were potentially exposed, while the hotel insists only ten records were accessed.

Register readers familiar with Best Western systems said that the issue turns on whether the compromised PC was able to access the hotel chain's worldwide reservation system or only local data. The issue of whether archived data on guest records was accessible from the infected PC also comes into play.

According to the Herald, an Indian hacker sold information on how to access addresses, telephone numbers and credit card details from the hotel's online booking system after breaking into the system. Tips on how to repeat the hack were offered for sale on a Russian underground hacking forum.

The paper claimed anyone who stayed at any of 1,312 European Best Western since last year - eight million people in all - could have been hit by the attack. All wrong, retorted Best Western: it maintains the breach affected only one hotel in Germany and just ten customer records. The hotel chain said it has tracked down the breach to the infection of a PC in a single Berlin hotel with Trojan horse malware.

In a statement, Best Western explained: "The compromised log-in ID permitted access to reservations data for that property only. The log-in ID was immediately terminated, and the computer in question has been removed from use."

Herald technology editor Iain Bruce brought the breach to Best Western's attention in the first place. He waited till the hotel had a chance to close the hole before publishing a story, containing a quote from Best Western.

Since then the two have fallen out big style, with Best Western claiming the Herald's numbers (based on how many people stayed at the hotel over the course of a year) are a load of dingo's kidneys. The hotel angrily denounced the Herald's story, suggesting its reporter had failed to check his facts.

However, Bruce told ITWire that he put the figures to the hotel prior to publication. He said he derived the figure of eight million from the fact that the hacker offered Best Western's entire European reservation database system for sale, not just a few snippets from a Berlin hotel.

Bruce shared screenshots of the database interface with ITWire reporter Davey Winder. The interface covered the whole of Europe and had a date range running from 14 August 2007 until 21 August 2008. It included guest names and payment details.

The screenshot shows just a handful of transactions. Best Western said that data on its guests is purged from its systems a week after they leave the hotel.

If that's the case, Winder considers, why does the transaction log go back a year? Respondents to the story may have an answer for that: the system allows guests to reserve rooms for up to a year. That still leaves the big question of whether the hack allowed Europe-wide access to the hotel's reservation system or just access to the local database, as Best Western claims.

Opinion from Regreaders knowledgable about Best Western's system is split. One of our readers anonymously suggests that the hacker did not gain access to the central database, but only to an individual hotel's computer application.

"As a former IT employee for Best Western (who left recently on good terms) I can confirm that everything Best Western is saying about this incident is true. I still have friends "on the inside", so-to-speak, who confirmed (off-the-record, of course) that a hotel front desk clerk's login ID and password for the 'MemberWeb' system were stolen by a password stealing Trojan (this "MemberWeb system is what allows front desk staff to check on incoming reservations and adjust rates and availability - among many other things)," he wrote.

"The account that was compromised had *very* limited access to the MemberWeb system, so at most, the hacker was able to glean a handful of records from the 'Transaction Log' feature (looking into the account's access history is what showed that it was only 10 records that were actually accessed by the attacker)."

However, another correspondent said that reception desk PCs have access to bookings made at Best Western hotels in other countries, casting doubt that the compromise was limited.

"I have watched as a hotel in Leicester canceled a guest's stay at a hotel in Linz and rebooked him in a hotel in Vienna. At no point was the hotel in Linz informed of this other than via MemberWeb. This was done with a standard MemberWeb login and no reservation numbers - a simple search for the guest's name sufficed. This would seem to contradict BW's statement that 'The compromised user ID permitted access only to the reservations at a single hotel'."

Our man also questioned claims that Best Western purge customer records a week after guests leave its hotels, and explained the system gives access to complete payment details.

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Home Office: Fancy flogging us some SECRET SPY GEAR?
If you do, tell NOBODY what it's for or how it works
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Syrian Electronic Army in news site 'hack' POP-UP MAYHEM
Gigya redirect exploit blamed for pop-rageous ploy
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story

Whitepapers

10 ways wire data helps conquer IT complexity
IT teams can automatically detect problems across the IT environment, spot data theft, select unique pieces of transaction payloads to send to a data source, and more.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Mitigating web security risk with SSL certificates
Web-based systems are essential tools for running business processes and delivering services to customers.