Confusion reigns over Best Western data security breach

Filed Under: Data loss

Conflicting stories are hitting the security headlines today about an alleged breach of computer systems run by the Best Western hotel chain.

According to a report by Iain S Bruce of the Scottish newspaper The Sunday Herald, names, home addresses, credit card details, telephone numbers and other personal information has been stolen from Best Western's computer network by a gang of hackers.

According to the report, an Indian hacker planted a Trojan horse on one of the firm's computers which stole usernames and passwords, giving the gang access to sensitive data which could be used for the purposes of identity theft. The Sunday Herald claims that the incident scooped up the details of guests who had stayed at a Best Western hotel since 2007, creating a potential total of eight million victims.

However, a statement from the company - which has more than 4000 hotels in 80 countries- claims that the reports are inaccurate:

"The story printed in the Sunday, August 24, 2008, Glasgow Sunday Herald claiming a security breach of Best Western guest information is grossly unsubstantiated. Claims reported about our Central Reservations customer records are not accurate. We at Best Western take the confidentiality of our customers' personal information very seriously. The Sunday Herald reporter brought to our attention the possible compromise of a select portion of data at a single hotel; we investigated immediately and provided commentary. Best Western would have welcomed the opportunity to fact-check the story, which would have resulted in more accurate and credible reporting on the part of the newspaper."

"We have found no evidence to support the sensational claims ultimately made by the reporter and newspaper. Most importantly, whereas the reporter asserted the recent compromise of data for past guests from as far back as 2007, Best Western purges all online reservations promptly upon guest departure."

Was this a case of over-exuberant reporting, or is Best Western trying to downplay the scale of the incident? What's obvious is that at the moment the facts of this case are unclear. Even if only one hotel branch was affected, there is still an important reminder here for every organization to take the utmost care over securing its customers' data.

Rival hotel firms would be wise not to bounce on their beds in glee at Best Western's possible misfortune - but look again at their own systems to make sure that they are properly defended.

How can you tell if you are a victim of identity theft?
Symptoms include:

* Image source: The Joy of the Mundane's Flickr photostream (Creative Commons 2.0)

You might like

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.