Best Western refutes story claiming records breached

Hotel chain denies exposing personal data of more than 8 million customers.

The Best Western hotel chain today strongly refuted a story published by a Scottish newspaper on Sunday suggesting that it had been the victim of a massive system intrusion exposing the personal data of more than 8 million customers.

Phoenix-based Best Western International acknowledged that some of its data may have been accessed by an unauthorized users. But the company said that only one hotel was affected and that only 13 customer records were actually exposed.

The story in Glasgow's Sunday Herald claimed that attackers had accessed the data of every single customer]] who had stayed at one of Best Western's 1,312 European hotels this year and in 2007.

The Sunday Herald reported that the alleged intrusion was perpetrated last Thursday by a hitherto unknown Indian hacker, who got the log-in credentials for Best Western's online booking system via a keystroke-logging program and then sold the details of how to access the data in the system "through an underground network operated by the Russian mafia."

According to the paper, which touted the story as a major scoop, the compromised data included the credit card information, home addresses, phone numbers and place of employment of people who had checked into Best Western hotels. The heist potentially could result in more than US$4 billion worth of fraud, the Sunday Herald estimated.

However, in a statement sent to reporters via e-mail, Best Western said that the story was "grossly unsubstantiated" and inaccurate.

In a separate FAQ that was distributed with the statement, the hotel chain confirmed that there was "some evidence" of unauthorized access to customer data by someone using a valid employee username and password. But the compromise was limited to just one property, Best Western said, adding that the total number of potentially affected customers was 115.

Just over a dozen customer records were exposed, according to the company, which said "no evidence to support the sensational claims" of a much wider and larger breach made by the Sunday Herald.

Best Western said that as part of its compliance with the Payment Card Industry Data Security Standard, developed by the major credit card companies, it takes several steps to ensure that cardholder data is protected. The measures include encrypting all card data both while it is stored and in transit between systems, using passwords to restrict access to the data, and deleting credit card records and other personal information when guests depart.

"It is impossible to prove a negative," the hotel chain said in its statement. But, it added, there is no reason to believe that the exposure went beyond just a few records and the one hotel. Best Western also called on the Sunday Herald to provide it with evidence backing up the newspaper's claims about the scope of the breach.

More about: AMP, Best Western International, Billion, Exposure, MarketWatch.com, Phoenix, VIA
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the Computerworld comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Whitepapers
Latest Stories
Community Comments
Whitepapers
All whitepapers
Sign up now to get free exclusive access to reports, research and invitation only events.
Featured Download
/downloads/product/205/divx-plus/

DivX Plus

Divx Plus 8 provides you with a Web Player which allows you to watch DivX, AVI and MKV videos in your web brower; you can ...

Computerworld newsletter

Join the most dedicated community for IT managers, leaders and professionals in Australia