Feeds

Fog of attack clouds Best Western hack

Are you local? Really?

The Power of One eBook: Top reasons to choose HP BladeSystem

Analysis Conflicting claims by Best Western and Glasgow's Sunday Herald over the scope of a recent security breach have been put under the microscope by security watchers. The paper claims that eight million records were potentially exposed, while the hotel insists only ten records were accessed.

Register readers familiar with Best Western systems said that the issue turns on whether the compromised PC was able to access the hotel chain's worldwide reservation system or only local data. The issue of whether archived data on guest records was accessible from the infected PC also comes into play.

According to the Herald, an Indian hacker sold information on how to access addresses, telephone numbers and credit card details from the hotel's online booking system after breaking into the system. Tips on how to repeat the hack were offered for sale on a Russian underground hacking forum.

The paper claimed anyone who stayed at any of 1,312 European Best Western since last year - eight million people in all - could have been hit by the attack. All wrong, retorted Best Western: it maintains the breach affected only one hotel in Germany and just ten customer records. The hotel chain said it has tracked down the breach to the infection of a PC in a single Berlin hotel with Trojan horse malware.

In a statement, Best Western explained: "The compromised log-in ID permitted access to reservations data for that property only. The log-in ID was immediately terminated, and the computer in question has been removed from use."

Herald technology editor Iain Bruce brought the breach to Best Western's attention in the first place. He waited till the hotel had a chance to close the hole before publishing a story, containing a quote from Best Western.

Since then the two have fallen out big style, with Best Western claiming the Herald's numbers (based on how many people stayed at the hotel over the course of a year) are a load of dingo's kidneys. The hotel angrily denounced the Herald's story, suggesting its reporter had failed to check his facts.

However, Bruce told ITWire that he put the figures to the hotel prior to publication. He said he derived the figure of eight million from the fact that the hacker offered Best Western's entire European reservation database system for sale, not just a few snippets from a Berlin hotel.

Bruce shared screenshots of the database interface with ITWire reporter Davey Winder. The interface covered the whole of Europe and had a date range running from 14 August 2007 until 21 August 2008. It included guest names and payment details.

The screenshot shows just a handful of transactions. Best Western said that data on its guests is purged from its systems a week after they leave the hotel.

If that's the case, Winder considers, why does the transaction log go back a year? Respondents to the story may have an answer for that: the system allows guests to reserve rooms for up to a year. That still leaves the big question of whether the hack allowed Europe-wide access to the hotel's reservation system or just access to the local database, as Best Western claims.

Opinion from Regreaders knowledgable about Best Western's system is split. One of our readers anonymously suggests that the hacker did not gain access to the central database, but only to an individual hotel's computer application.

"As a former IT employee for Best Western (who left recently on good terms) I can confirm that everything Best Western is saying about this incident is true. I still have friends "on the inside", so-to-speak, who confirmed (off-the-record, of course) that a hotel front desk clerk's login ID and password for the 'MemberWeb' system were stolen by a password stealing Trojan (this "MemberWeb system is what allows front desk staff to check on incoming reservations and adjust rates and availability - among many other things)," he wrote.

"The account that was compromised had *very* limited access to the MemberWeb system, so at most, the hacker was able to glean a handful of records from the 'Transaction Log' feature (looking into the account's access history is what showed that it was only 10 records that were actually accessed by the attacker)."

However, another correspondent said that reception desk PCs have access to bookings made at Best Western hotels in other countries, casting doubt that the compromise was limited.

"I have watched as a hotel in Leicester canceled a guest's stay at a hotel in Linz and rebooked him in a hotel in Vienna. At no point was the hotel in Linz informed of this other than via MemberWeb. This was done with a standard MemberWeb login and no reservation numbers - a simple search for the guest's name sufficed. This would seem to contradict BW's statement that 'The compromised user ID permitted access only to the reservations at a single hotel'."

Our man also questioned claims that Best Western purge customer records a week after guests leave its hotels, and explained the system gives access to complete payment details.

Designing a Defense for Mobile Applications

More from The Register

next story
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.