The Sunday Herald last week reported that data from every guest staying in 1,300 Best Western Hotels in the past year had been stolen, calling it the “world’s largest caper” to the tune of 8 million victims. However, information from Best Western disputes this after the hotel chain issued a statement saying it has “found no evidence to support the sensational claims ultimately made by the reporter and newspaper.”
Best Western calls the Sunday Herald out over their story, who has the correct facts in the matter? (IMG:J.Anderson)
In a statement given late Monday, the chain said:
“The story printed in the Sunday, August 24, 2008, Glasgow Sunday Herald claiming a security breach of Best Western guest information is grossly unsubstantiated.” In an email exchange with the company, The Tech Herald has been informed that on August 21, 2008, three separate attempts were made via a single log-on ID to access the same data from a single hotel. The hotel in question is the 107-room Best Western Hotel am Schloss Kopenick in Berlin, Germany, where a Trojan horse virus was detected by the hotel’s anti-virus software. The compromised log-in ID permitted access to reservations data for that property only. The log-in ID was immediately terminated, and the computer in question has been removed from use.
“We can also confirm that we have been able to narrow down the number of customers affected by this breach to ten. We are currently contacting those customers and offering assistance as needed.” I asked Best Western to explain the assistance offering in a little more detail and was told, “We have contacted the affected customers and have of offered to assist them in working through this issue. We will work with each individual customer to determine what assistance is most appropriate.”
The FBI is involved with the investigation; however, there have been no links to Russian networks or Indian, so the attack's origin is still unknown.
An updated statement issued overnight by Best Western says, in part:
“In the day-to-day conduct of our business, we comply with the Payment Card Industry (PCI) Data Security Standards (DSS). To maintain that compliance, Best Western maintains a secure network protected by firewalls and governed by a strong information security policy. We regularly test our systems and processes in an effort to protect customer information, and employ the services of industry-leading third-party firms to evaluate our safeguards. We also delete credit card information and all other personal information upon guest departure.”
The reasoning behind the claim that the Sunday Herald’s story is “grossly unsubstantiated” is that Best Western purges reservations data within seven days of guest departure, thereby limiting potential data exposure to those guests who departed up to one week prior, current guests, and future guests of that particular hotel.
“Best Western would have welcomed the opportunity to fact-check the story, which would have resulted in more accurate and credible reporting on the part of the newspaper. We have found no evidence to support the sensational claims ultimately made by the reporter and newspaper,” Best Western outlined in its statement.
“We collect credit card information only when it is necessary to process a guest's reservation; we restrict access to that information to only those requiring access and through the use of unique and individual, password-protected points of entry; we encrypt credit card information in our systems and databases and in any electronic transmission over public networks; and again, we delete credit card information and all other personal information upon guest departure,” it added.
The company also stated that its last PCI audit was performed this month (August 2008).
The Sunday Herald has neither responded to questions for comment, nor has it issued a statement or updated the original story.
You can read the full article from the Sunday Herald here.
There are currently no comments for this article. Be the first to comment! (no registration required)
Advertising
There are currently no comments for this article. Be the first to comment! (no registration required)