Best Western Says Data Breach Overblown

In a Tuesday statement, Best Western confirmed that on August 21, three separate attempts were made via a single log-on ID to access the same data from a single hotel, the Best Western Hotel am Schloss Kopenick in Berlin, Germany.

The hotel's antivirus software detected a Trojan horse virus, and Best Western immediately terminated the account and disconnected the affected PC from the network, according to the statement.

"We are working with the FBI and international authorities to investigate further," according to the statement. "There is no evidence of any unauthorized access to any other customer data."

News of the breach first surfaced Sunday in a report in Scotland's Glasgow Sunday Herald, which claimed that last week, an Indian hacker devised a method for breaking into Best Western's online booking system and then sold this information to Russian mafia operatives.

According to The Herald, the attack revealed personal data on about 8 million customers who stayed at one of the chain's 1,312 European hotels since 2007, including home addresses, telephone numbers, credit card, and employment details.

In both of its official statements this week, Best Western has emphasized that recent audits found the hotel chain's network infrastructure to be PCI-compliant. However, this is somewhat disingenuous because PCI compliance doesn't provide companies with immunity from security breaches, according to solution providers.

In fact, companies can be PCI compliant and still have gaping holes in their security infrastructure that leave them exposed to very sophisticated attacks, said Bill Calderwood, president of The Root Group, a Boulder, Colo.-based security solution provider.

"You can have an audit one day and be totally exposed the next day because of some new threat vector," Calderwood said.

A Best Western spokesperson contacted by ChannelWeb declined to comment on whether the hotel chain will implement additional security measures to prevent a recurrence, saying only that Best Western has always had stringent security.

"While even one compromised record is too much, the fact is that our time-till-purge, our hotel anti-virus software, and our organizational response succeeded in minimizing exposure in this instance," said the spokesperson.

Echoing one of the mantras of the security industry, Chris Labatt-Simon, president and CEO of D&D Consulting, an Albany, N.Y.-based solution provider, says the only truly secure network is one that is completely disconnected.

"Beyond that, if someone wants to target your system and they have the right tools, you will be compromised. Organizations often discount the need to invest in Security Event Management (SEM) solutions and in the people to monitor them," Labatt Simon said.

Knowing an attack is in progress by monitoring abnormal activity is critical, but Labatt Simon says it's also important to look beyond the technology.

"Recognizing the increasing frequency of these attacks, organizations that store personal and private information should have crisis management plans to help protect their customers and their own reputations," Labatt Simon said.