"Credit card data is not obscured or obfuscated in any way. The full credit card number, cardholder name, expiry date and CVC/CVV number - neccessary for cardholder not present transactions (eg a no-show guest)," he added. "Customer data is not 'purged' in any way, shape or form as far as I could tell. It is archived - mainly to reduce the load on the live dataBase I think. The archived data is accessible from a normal MemberWeb login.
"I don't believe that one query per second from a single member hotel would be noticed (it would in retrospect), so there's the potential that 100,000+ people may have had 'live' booking details lifted," he concluded.
All parties agree that a compromise took place and how it happened (a compromised MemberWeb log-in ID lifted after a hacker planted a Trojan on a reception desk PC in a Berlin hotel). The issue turns on whether this compromised PC permitted access to Best Western's worldwide reservation system, as was the case with the hotel in Leicester, or just local data. It's possible - though unlikely - that the Berlin hotel's systems were set up differently, with access only to local data and no access to archived information.
The claims of what was on offer contained in posts to an underground cybercrime forum provide no proof either way.
Slavik Markovich, chief technology office of database security firm Sentrigo, said that computer forensics techniques need to be applied to get to the bottom of what happened at Best Western.
"Often, the 'fog of war' surrounds a suspected breach and it is difficult to understand what happened exactly," Markovich said. "In this case (based on the few tidbits of information we know) it’s possible that eight million records represents the potential set of data that could have been affected, but due to Best Western having defensive measures in place, the actual breach had been limited to 13 records of individuals.
"It is also possible that these preliminary findings do not tell the whole picture, and that additional forensics will be required to examine additional systems that may have been affected.
"Security is all about 'defense-in-depth'. If the initial breach was somehow undetected by monitoring the network and the logs, placing a Trojan should have been detected by an anti-virus program and the traffic the Trojan sent should have been detected by a network IDS/IPS. Currently, it is not clear if the guest databases were accessed or if the breach had only a local effect of capturing data in transit."
Best Western has taken the highly unusual step of writing to those who have made a recent booking in a bid to try to calm possible fears.
You may be aware on Sunday 24th August the Scottish Herald printed a story claiming a hacker had gained access to Best Western guest information. This story is grossly unsubstantiated!
After a detailed investigation we can confirm that on 21st August a single hotel in Germany was compromised by a virus. The compromise permitted access to reservations data for that property only. This has affected only ten customers who we are currently being contacted to offer our assistance, none of these were GB customers. There is no evidence of any unauthorized access to any other customer data. Most importantly Best Western purges all reservations data within seven days of guest departure.
We are working with the FBI and other international authorities to investigate further.
At Best Western we take the confidentiality of our customers' personal information very seriously, complying with the Payment Card Industry (PCI) Data Security Standards (DSS). To maintain that compliance, Best Western maintains a secure network protected by firewalls and governed by a strong information security policy. We regularly test our systems and processes in an effort to protect customer information, and employ the services of industry-leading third-party firms to evaluate our safeguards.
David Clarke CEO
Best Western Hotels GB
Best Western makes much of its compliance with the PCI DSS standard for credit card security, but PCI DSS compliance doesn't mean organisations are secure. Even by its own account, Best Western systems were compromised by a Trojan. A malware attack was also blamed on a breach that exposed an estimated 4.2 million credit card records at US grocery chain Hannaford, another firm that was PCI DSS compliant.
One of 12 requirements for PCI DSS compliance is to "use and regularly update anti-virus software". All well and good, but as these two companies can testify, that's no guarantee against infection. Another requirement of the PCI DSS guidelines is for firms to “protect stored cardholder data” - something both firms have conspicuously failed to do.
Best Western may honestly think that the compromised PC only allowed access to reservations in the same hotel, but experience from our reader in a Leicester hotel at least suggests that other systems are set up differently. It could be the German systems are more secure - if not, then this particular rabbit hole goes far deeper than the hotel chain would like to admit. ®
Good one. In fact the conjunction of the words "grossly" and "unsubstantiated" should be enough to ring warning bells. It's like the politician's "I entirely deny" although they dress that up by (mis)using the word 'refute' so that it doesn't sound quite so silly.
Sorry, but I have to share this
Whilst writing the last (in bed with laptop) swmbo (still sleeping) said "what are you doing?" I replied that I was participating in an online forum, which seemed to cause a degree of consternation. So I tried to reassure her by insisting that I was "on the register".
Now it appears I have got to some explaining to do --- I'm just printing a copy of the masthead and going to plead my innocence. This is going to be a shortcut for J. Smith isn't it? We are ALL on the register now.
Danger - weasel words
Read the Best Western statement closely
"You may be aware on Sunday 24th August the Scottish Herald printed a story claiming a hacker had gained access to Best Western guest information. This story is grossly unsubstantiated!"
Note the word "unsubstantiated" ..... not untrue.... just unsubstantiated... sounds good means nothing.
"After a detailed investigation we can confirm that on 21st August a single hotel in Germany was compromised by a virus."
Virus sound better than backdoors or trojans...manflu kinda thing rather than the more eyewidening trojan up the backdoor.
"The compromise permitted access to reservations data for that property only.
This has affected only ten customers who we are currently being contacted to offer our assistance, none of these were GB customers."
Hmmm only 10 reservations in a week...... quiet week?
"There is no evidence of any unauthorized access to any other customer data."
Just because there's no evidence doesn't mean there was no access to the other data, however this does admit that there was access to some customer data.
"Most importantly Best Western purges all reservations data within seven days of guest departure."
Purges, a word which is less definate in it's meaning than deletes
Note also the use of "reservations data" since obviously they wish to reassure customers that some, ephemeral data is "purged" but mask the fact that significant customer info is retained.
Mines the one with Crisis Management for Dummies in the pocket