Conflicting claims by Best Western and Glasgow's Sunday Herald over the scope of a recent security breach have been put under the microscope by security watchers. The paper claims that eight million records were potentially exposed, while the hotel insists only ten records were accessed. Register readers familiar with Best …
I would imagine
that Best Western are telling the truth here - after all, if 8 million records had been compromised then we would soon hear about it. Probably the reporter asked how many records were in the system, not how many could be reached using the compromised password and just ran from there. After all, how newsworthy would it be to state "Great Western computer network hacked, ten records may have been read"?
PCI DSS compliance??
According to my reading of the the spec, storage of CVC2/CVV2/CID is *not* permitted.
This data is classed as "Sensitive Authentication Data" and "Sensitive authentication data must not be stored subsequent to authorization (even if encrypted)."
How does this square with the claim that Best Western are in compliance, yet the ex-employee stated that CVC2 data is clearly visible in their system?
Far too many companies are storing CVC2 data. There is no need for this, and it's *bad* thing to do. Perhaps El Reg should start a name & shame campaign...
How is the data 'purged'?
Zero'ed out or moved to the Recycle Bin? What is the betting that it is the equivalent of the latter rather than the former? Seems to me that any business using a networked Windows system for anything financially or privacy sensitive is criminally negligent regardless.
Sounding off again
I am the Anonymous former IT employee of Best Western. Sorry I have to keep posting as such.
I don't recall our reservations agents or any of our web-based systems ever having collected CVV2 or CVC2 (or whatever you want to call it) codes, nor have I ever seen them in any of the tables in the reservations database.
Now, mind you, it has been several months since I left and their policies may have changed since then. However, I just went online to www.bestwestern.com and booked a reservation using my credit card. The only details from my card that it asked for was the credit card number and expiry date.
Danger - weasel words
Read the Best Western statement closely
"You may be aware on Sunday 24th August the Scottish Herald printed a story claiming a hacker had gained access to Best Western guest information. This story is grossly unsubstantiated!"
Note the word "unsubstantiated" ..... not untrue.... just unsubstantiated... sounds good means nothing.
"After a detailed investigation we can confirm that on 21st August a single hotel in Germany was compromised by a virus."
Virus sound better than backdoors or trojans...manflu kinda thing rather than the more eyewidening trojan up the backdoor.
"The compromise permitted access to reservations data for that property only.
This has affected only ten customers who we are currently being contacted to offer our assistance, none of these were GB customers."
Hmmm only 10 reservations in a week...... quiet week?
"There is no evidence of any unauthorized access to any other customer data."
Just because there's no evidence doesn't mean there was no access to the other data, however this does admit that there was access to some customer data.
"Most importantly Best Western purges all reservations data within seven days of guest departure."
Purges, a word which is less definate in it's meaning than deletes
Note also the use of "reservations data" since obviously they wish to reassure customers that some, ephemeral data is "purged" but mask the fact that significant customer info is retained.
Mines the one with Crisis Management for Dummies in the pocket
Sorry, but I have to share this
Whilst writing the last (in bed with laptop) swmbo (still sleeping) said "what are you doing?" I replied that I was participating in an online forum, which seemed to cause a degree of consternation. So I tried to reassure her by insisting that I was "on the register".
Now it appears I have got to some explaining to do --- I'm just printing a copy of the masthead and going to plead my innocence. This is going to be a shortcut for J. Smith isn't it? We are ALL on the register now.
Good one. In fact the conjunction of the words "grossly" and "unsubstantiated" should be enough to ring warning bells. It's like the politician's "I entirely deny" although they dress that up by (mis)using the word 'refute' so that it doesn't sound quite so silly.