Feeds

Fog of attack clouds Best Western hack

Are you local? Really?

Beginner's guide to SSL certificates

"Credit card data is not obscured or obfuscated in any way. The full credit card number, cardholder name, expiry date and CVC/CVV number - neccessary for cardholder not present transactions (eg a no-show guest)," he added. "Customer data is not 'purged' in any way, shape or form as far as I could tell. It is archived - mainly to reduce the load on the live dataBase I think. The archived data is accessible from a normal MemberWeb login.

"I don't believe that one query per second from a single member hotel would be noticed (it would in retrospect), so there's the potential that 100,000+ people may have had 'live' booking details lifted," he concluded.

All parties agree that a compromise took place and how it happened (a compromised MemberWeb log-in ID lifted after a hacker planted a Trojan on a reception desk PC in a Berlin hotel). The issue turns on whether this compromised PC permitted access to Best Western's worldwide reservation system, as was the case with the hotel in Leicester, or just local data. It's possible - though unlikely - that the Berlin hotel's systems were set up differently, with access only to local data and no access to archived information.

The claims of what was on offer contained in posts to an underground cybercrime forum provide no proof either way.

Slavik Markovich, chief technology office of database security firm Sentrigo, said that computer forensics techniques need to be applied to get to the bottom of what happened at Best Western.

"Often, the 'fog of war' surrounds a suspected breach and it is difficult to understand what happened exactly," Markovich said. "In this case (based on the few tidbits of information we know) it’s possible that eight million records represents the potential set of data that could have been affected, but due to Best Western having defensive measures in place, the actual breach had been limited to 13 records of individuals.

"It is also possible that these preliminary findings do not tell the whole picture, and that additional forensics will be required to examine additional systems that may have been affected.

"Security is all about 'defense-in-depth'. If the initial breach was somehow undetected by monitoring the network and the logs, placing a Trojan should have been detected by an anti-virus program and the traffic the Trojan sent should have been detected by a network IDS/IPS. Currently, it is not clear if the guest databases were accessed or if the breach had only a local effect of capturing data in transit."

Best Western has taken the highly unusual step of writing to those who have made a recent booking in a bid to try to calm possible fears.

You may be aware on Sunday 24th August the Scottish Herald printed a story claiming a hacker had gained access to Best Western guest information. This story is grossly unsubstantiated!

After a detailed investigation we can confirm that on 21st August a single hotel in Germany was compromised by a virus. The compromise permitted access to reservations data for that property only. This has affected only ten customers who we are currently being contacted to offer our assistance, none of these were GB customers. There is no evidence of any unauthorized access to any other customer data. Most importantly Best Western purges all reservations data within seven days of guest departure.

We are working with the FBI and other international authorities to investigate further.

At Best Western we take the confidentiality of our customers' personal information very seriously, complying with the Payment Card Industry (PCI) Data Security Standards (DSS). To maintain that compliance, Best Western maintains a secure network protected by firewalls and governed by a strong information security policy. We regularly test our systems and processes in an effort to protect customer information, and employ the services of industry-leading third-party firms to evaluate our safeguards.

Yours sincerely,

David Clarke CEO

Best Western Hotels GB

Best Western makes much of its compliance with the PCI DSS standard for credit card security, but PCI DSS compliance doesn't mean organisations are secure. Even by its own account, Best Western systems were compromised by a Trojan. A malware attack was also blamed on a breach that exposed an estimated 4.2 million credit card records at US grocery chain Hannaford, another firm that was PCI DSS compliant.

One of 12 requirements for PCI DSS compliance is to "use and regularly update anti-virus software". All well and good, but as these two companies can testify, that's no guarantee against infection. Another requirement of the PCI DSS guidelines is for firms to “protect stored cardholder data” - something both firms have conspicuously failed to do.

Best Western may honestly think that the compromised PC only allowed access to reservations in the same hotel, but experience from our reader in a Leicester hotel at least suggests that other systems are set up differently. It could be the German systems are more secure - if not, then this particular rabbit hole goes far deeper than the hotel chain would like to admit. ®

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
Oi, Europe! Tell US feds to GTFO of our servers, say Microsoft and pals
By writing a really angry letter about how it's harming our cloud business, ta
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
5 critical considerations for enterprise cloud backup
Key considerations when evaluating cloud backup solutions to ensure adequate protection security and availability of enterprise data.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Managing SSL certificates with ease
The lack of operational efficiencies and compliance pitfalls associated with poor SSL certificate management, and how the right SSL certificate management tool can help.