Feeds

Fog of attack clouds Best Western hack

Are you local? Really?

SANS - Survey on application security programs

"Credit card data is not obscured or obfuscated in any way. The full credit card number, cardholder name, expiry date and CVC/CVV number - neccessary for cardholder not present transactions (eg a no-show guest)," he added. "Customer data is not 'purged' in any way, shape or form as far as I could tell. It is archived - mainly to reduce the load on the live dataBase I think. The archived data is accessible from a normal MemberWeb login.

"I don't believe that one query per second from a single member hotel would be noticed (it would in retrospect), so there's the potential that 100,000+ people may have had 'live' booking details lifted," he concluded.

All parties agree that a compromise took place and how it happened (a compromised MemberWeb log-in ID lifted after a hacker planted a Trojan on a reception desk PC in a Berlin hotel). The issue turns on whether this compromised PC permitted access to Best Western's worldwide reservation system, as was the case with the hotel in Leicester, or just local data. It's possible - though unlikely - that the Berlin hotel's systems were set up differently, with access only to local data and no access to archived information.

The claims of what was on offer contained in posts to an underground cybercrime forum provide no proof either way.

Slavik Markovich, chief technology office of database security firm Sentrigo, said that computer forensics techniques need to be applied to get to the bottom of what happened at Best Western.

"Often, the 'fog of war' surrounds a suspected breach and it is difficult to understand what happened exactly," Markovich said. "In this case (based on the few tidbits of information we know) it’s possible that eight million records represents the potential set of data that could have been affected, but due to Best Western having defensive measures in place, the actual breach had been limited to 13 records of individuals.

"It is also possible that these preliminary findings do not tell the whole picture, and that additional forensics will be required to examine additional systems that may have been affected.

"Security is all about 'defense-in-depth'. If the initial breach was somehow undetected by monitoring the network and the logs, placing a Trojan should have been detected by an anti-virus program and the traffic the Trojan sent should have been detected by a network IDS/IPS. Currently, it is not clear if the guest databases were accessed or if the breach had only a local effect of capturing data in transit."

Best Western has taken the highly unusual step of writing to those who have made a recent booking in a bid to try to calm possible fears.

You may be aware on Sunday 24th August the Scottish Herald printed a story claiming a hacker had gained access to Best Western guest information. This story is grossly unsubstantiated!

After a detailed investigation we can confirm that on 21st August a single hotel in Germany was compromised by a virus. The compromise permitted access to reservations data for that property only. This has affected only ten customers who we are currently being contacted to offer our assistance, none of these were GB customers. There is no evidence of any unauthorized access to any other customer data. Most importantly Best Western purges all reservations data within seven days of guest departure.

We are working with the FBI and other international authorities to investigate further.

At Best Western we take the confidentiality of our customers' personal information very seriously, complying with the Payment Card Industry (PCI) Data Security Standards (DSS). To maintain that compliance, Best Western maintains a secure network protected by firewalls and governed by a strong information security policy. We regularly test our systems and processes in an effort to protect customer information, and employ the services of industry-leading third-party firms to evaluate our safeguards.

Yours sincerely,

David Clarke CEO

Best Western Hotels GB

Best Western makes much of its compliance with the PCI DSS standard for credit card security, but PCI DSS compliance doesn't mean organisations are secure. Even by its own account, Best Western systems were compromised by a Trojan. A malware attack was also blamed on a breach that exposed an estimated 4.2 million credit card records at US grocery chain Hannaford, another firm that was PCI DSS compliant.

One of 12 requirements for PCI DSS compliance is to "use and regularly update anti-virus software". All well and good, but as these two companies can testify, that's no guarantee against infection. Another requirement of the PCI DSS guidelines is for firms to “protect stored cardholder data” - something both firms have conspicuously failed to do.

Best Western may honestly think that the compromised PC only allowed access to reservations in the same hotel, but experience from our reader in a Leicester hotel at least suggests that other systems are set up differently. It could be the German systems are more secure - if not, then this particular rabbit hole goes far deeper than the hotel chain would like to admit. ®

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.