Hotel chain Best Western has denied falling victim to a large-scale hacking attack. A report in the Scotland's Glasgow Sunday Herald claims that the hotel chain has been turned over by a hacker who lifted eight million customer records. It reports that the Indian hacker who carried out the heist sold on the information to …
Then why the panic?
Pull the other one - it has bells on!
I could pull hundreds of records per hour off MemberWeb if I chose without anyone noticing.
BW are spinning this like crazy......
Playing IT down doesn't diminish hack attacks ...it only fuels them underground
"We can also confirm that we have been able to narrow down the number of customers affected by this breach to ten. We are currently contacting those customers and offering assistance as needed.
We are working with the FBI and international authorities to investigate further."
Yes, well, just call me old fashioned but ..... there is normally something more definitely phishy and major whenever one works with the FBI and international authorities to investigate further?
Chose any one of the 12 requirements and you can find a failing so they are either lying about being compliant or the ASV/QSA "overlooked" certain requirements!!!
Probably the most relevant would be 3.4 to protect cardholder data by encryption or (temporary) compensating controls meaning no unauthorised access to cardholder data should be possible.
Attack choppper as that's what should be heading for the audit company right now to neutralise them!!!!!
Sign of the apocalypse
amanfromMars makes a perfectly lucid, rational comment.
And it could be that only a few people were affected, but they're taking it very seriously. Better that attitude than not bothering to do anything if less that a million records are exposed.
"I could pull hundreds of records per hour off MemberWeb if I chose without anyone noticing."
Sure, but the credit card details are obscured. At least they were being obscured when I left (except in certain cases when looking up reservations for your own hotel).
As a former IT employee for Best Western (who left recently on good terms) I can confirm that everything Best Western is saying about this incident is true. I still have friends "on the inside", so-to-speak, who confirmed (off-the-record, of course) that a hotel front desk clerk's login ID and password for the "MemberWeb" system were stolen by a password stealing trojan (this "MemberWeb" system is what allows front desk staff to check on incoming reservations and adjust rates and availability -- among many other things).
The account that was compromised had *very* limited access to the MemberWeb system, so at most, the hacker was able to glean a handful of records from the "Transaction Log" feature (looking into the account's access history is what showed that it was only 10 records that were actually accessed by the attacker). The account also only had access to reservations that were booked for the one hotel where the front desk clerk worked (there are very few memberweb accounts that have access to multiple hotels, and these are only given to support staff at Best Western HQ or at the local affiliate offices).
Moreover, there were some claims in the original story that simply don't jive at all with reality. For instance, the hacker claimed to have broken into the "European Reservations System", but there is no such thing. Best Western uses a single reservations system for hotel bookings worldwide (I know, this is splitting hairs, but it does show that the hacker wasn't very thorough in checking what he/she had -- or that the hacker was trying to play it up to get more money in the underground market for that data).
Oh, and by the way, at the time when I left they were auditing MemberWeb account activity. Go ahead and download those "hundreds of records per hour" that you boasted about (nevermind the obscured payment details). I just hope that Bubba and company aren't too rough on you in prison.
P.S. Sorry I have to post anonymously. I don't want to run afoul of any NDAs I might have signed with Best Western (heck, they pushed so much legal paperwork in front of me that I can't be sure they don't have a legitimate claim to my firstborn son).