Fog of attack clouds Best Western hack
Are you local? Really?
"Credit card data is not obscured or obfuscated in any way. The full credit card number, cardholder name, expiry date and CVC/CVV number - neccessary for cardholder not present transactions (eg a no-show guest)," he added. "Customer data is not 'purged' in any way, shape or form as far as I could tell. It is archived - mainly to reduce the load on the live dataBase I think. The archived data is accessible from a normal MemberWeb login.
"I don't believe that one query per second from a single member hotel would be noticed (it would in retrospect), so there's the potential that 100,000+ people may have had 'live' booking details lifted," he concluded.
All parties agree that a compromise took place and how it happened (a compromised MemberWeb log-in ID lifted after a hacker planted a Trojan on a reception desk PC in a Berlin hotel). The issue turns on whether this compromised PC permitted access to Best Western's worldwide reservation system, as was the case with the hotel in Leicester, or just local data. It's possible - though unlikely - that the Berlin hotel's systems were set up differently, with access only to local data and no access to archived information.
The claims of what was on offer contained in posts to an underground cybercrime forum provide no proof either way.
Slavik Markovich, chief technology office of database security firm Sentrigo, said that computer forensics techniques need to be applied to get to the bottom of what happened at Best Western.
"Often, the 'fog of war' surrounds a suspected breach and it is difficult to understand what happened exactly," Markovich said. "In this case (based on the few tidbits of information we know) it’s possible that eight million records represents the potential set of data that could have been affected, but due to Best Western having defensive measures in place, the actual breach had been limited to 13 records of individuals.
"It is also possible that these preliminary findings do not tell the whole picture, and that additional forensics will be required to examine additional systems that may have been affected.
"Security is all about 'defense-in-depth'. If the initial breach was somehow undetected by monitoring the network and the logs, placing a Trojan should have been detected by an anti-virus program and the traffic the Trojan sent should have been detected by a network IDS/IPS. Currently, it is not clear if the guest databases were accessed or if the breach had only a local effect of capturing data in transit."
Best Western has taken the highly unusual step of writing to those who have made a recent booking in a bid to try to calm possible fears.
You may be aware on Sunday 24th August the Scottish Herald printed a story claiming a hacker had gained access to Best Western guest information. This story is grossly unsubstantiated!
After a detailed investigation we can confirm that on 21st August a single hotel in Germany was compromised by a virus. The compromise permitted access to reservations data for that property only. This has affected only ten customers who we are currently being contacted to offer our assistance, none of these were GB customers. There is no evidence of any unauthorized access to any other customer data. Most importantly Best Western purges all reservations data within seven days of guest departure.
We are working with the FBI and other international authorities to investigate further.
At Best Western we take the confidentiality of our customers' personal information very seriously, complying with the Payment Card Industry (PCI) Data Security Standards (DSS). To maintain that compliance, Best Western maintains a secure network protected by firewalls and governed by a strong information security policy. We regularly test our systems and processes in an effort to protect customer information, and employ the services of industry-leading third-party firms to evaluate our safeguards.
David Clarke CEO
Best Western Hotels GB
Best Western makes much of its compliance with the PCI DSS standard for credit card security, but PCI DSS compliance doesn't mean organisations are secure. Even by its own account, Best Western systems were compromised by a Trojan. A malware attack was also blamed on a breach that exposed an estimated 4.2 million credit card records at US grocery chain Hannaford, another firm that was PCI DSS compliant.
One of 12 requirements for PCI DSS compliance is to "use and regularly update anti-virus software". All well and good, but as these two companies can testify, that's no guarantee against infection. Another requirement of the PCI DSS guidelines is for firms to “protect stored cardholder data” - something both firms have conspicuously failed to do.
Best Western may honestly think that the compromised PC only allowed access to reservations in the same hotel, but experience from our reader in a Leicester hotel at least suggests that other systems are set up differently. It could be the German systems are more secure - if not, then this particular rabbit hole goes far deeper than the hotel chain would like to admit. ®