What really happened at Best Western?
Technorati Tag: Security Breach
Date Reported:
8/24/08
Organization:
Best Western International
Contractor/Consultant/Branch:
None
Victims:
Guests
Number Affected:
"estimated eight million"
Types of Data:
"private information including home addresses, telephone numbers, credit card details and place of employment"
Breach Description:
"EXCLUSIVE: Sunday Herald uncovers theft of data from every guest in 1300 Best Western Hotels in past 12 months
AN INTERNATIONAL criminal gang has pulled off one of the most audacious cyber-crimes ever and stolen the identities of an estimated eight million people in a hacking raid that could ultimately net more than £2.8billion in illegal funds."
BEST WESTERN REBUTTAL: PHOENIX, Aug 24, 2008 (BUSINESS WIRE) -- The story printed in the Sunday, August 24, 2008, Glasgow Sunday Herald claiming a security breach of Best Western guest information is grossly unsubstantiated.
Reference URL:
Sunday Herald (Scotland)
Best Western Response
vnunet.com
The Daily Mail
Business Wire via MarketWatch
Report Credit:
Iain S Bruce, Sunday Herald
Response:
From the online sources cited above:
EXCLUSIVE: Sunday Herald uncovers theft of data from every guest in 1300 Best Western Hotels in past 12 months
[Evan] It isn't clear is HOW the Sunday Herald uncovered this breach. Did somebody report it to them (likely), and if so, who?
AN INTERNATIONAL criminal gang has pulled off one of the most audacious cyber-crimes ever and stolen the identities of an estimated eight million people in a hacking raid that could ultimately net more than £2.8billion in illegal funds.
[Evan] Very sensational. 5+ billion (almost 6) US dollars.
A Sunday Herald investigation has discovered that late on Thursday night, a previously unknown Indian hacker successfully breached the IT defences of the Best Western Hotel group's online booking system and sold details of how to access it through an underground network operated by the Russian mafia.
[Evan] Even more sensational.
The attack scooped up the personal details of every single customer that has booked into one of Best Western's 1312 continental hotels since 2007.
the stolen data includes a range of private information including home addresses, telephone numbers, credit card details and place of employment
"They've pulled off a masterstroke here," said security expert Jacques Erasmus, an ex-hacker who now works for the computer security firm Prevx.
[Evan] This is the first I have heard of Jacques Erasmus and Prevx, not that this means much. There are probably 1000's of security companies I haven't heard of.
There are plenty of hacked company databases for sale online but the sheer volume and quality of the information that's been stolen in the Best Western raid makes this particularly rare.
The Russian gangs who specialise in this kind of work will have been exploiting the information from the moment it became available late on Thursday night.
[Evan] Has there been any other independent verification of these claims?
Although the security breach was closed on Friday after Best Western was alerted by the Sunday Herald, experts fear that information seized in the raid is already being used to pursue a range of criminal strategies.
Although the nature of internet crime makes it extremely difficult to track the precise details of the raid, the Sunday Herald understands that a hacker from India - new to the world of cyber-crime - succeeded in bypassing the system's security software and placing a Trojan virus on one of the Best Western Hotel machines used for reservations.
The next time a member of staff logged in, her username and password were collected and stored.
[Evan] Unfortunately, this is a fairly common avenue of attack. A defense-in-depth approach (anti-virus on client, anti-virus at the gateway, intrusion detection/prevention, egress/ingress traffic monitoring, etc.) should detect and report on this type of access, if not prevent it altogether.
"Large corporate companies rely on anti-virus products to protect their infrastructure, but the problem with this approach is that these products only detect around 60% of threats out there. In the right hands, viruses can easily bypass these programs, as was the case here," explained Erasmus.
[Evan] Ah, a pitch. It just so happens that "Prevx CSI Business plus enterprise class security breach management. Finds, monitors and fixes the infections that breach your security."
The stolen login details were then put up for sale and shared on an underground website operated by a notorious branch of the Russian mafia, which specialises in internet crime and offers heavily guarded and untraceable hosting services with no questions asked for criminal activity.
[Evan] Which "notorious branch of the Russian mafia"?
Once the information was online, experts estimate that it would take less than an hour to write and run a software bot' - a simple computer programme - capable of harvesting every record on Best Western's European reservation system.
With eight million people staying in the hotel group's 86,375 continental rooms every year, gaining access to the system is a major coup for the cyber-criminals responsible. Given that criminals now have access to all bookings from 2007-2008, and based on the FBI-sponsored Internet Crime Complaint Center's reports that the average victim of internet crime loses £356, they are sitting on a potential haul of at least £2.84bn.
After thanking the Sunday Herald for exposing the raid on its systems, Best Western Hotels closed the breach at around 2pm on Friday afternoon.
[Evan] Did the Sunday Herald confirm this, or is this heresay?
Stressing that staff are fully aware of the potential seriousness of the attack, the company reassured customers that it is now taking appropriate action.
"Best Western took immediate action to disable the compromised log-in account in question. We are currently in the process of working with our credit card partners to ensure that all relevant procedural standards are met, and that the interests of our guests are protected," said a spokesman.
[Evan] Here it appears that Best Western is admitting that a compromise took place.
"We continue to investigate the root cause of the issue, including, but not limited to, the third-party website that has allegedly facilitated this illegal exchange of information."
Guests with concerns are advised to contact Best Western customer service at 0800 528-1238
Tim Wade, head of marketing for Best Western in Britain, said it was 'unlikely' the thieves got details of every booking in Europe because of the way their system worked.
He added: 'We are investigating further and working with our credit card partners to ensure the interests of our guests are protected.'
Last night a statement on the Best Western website said it did not believe British customers had been affected.
[Evan] To take it a step further, Best Western has issued a news release and posted an update on its website.
BEST WESTERN REBUTTAL:
"Best Western Responds to Sunday Herald Story Claiming Security Breach"
PHOENIX, Aug 24, 2008 (BUSINESS WIRE) -- The story printed in the Sunday, August 24, 2008, Glasgow Sunday Herald claiming a security breach of Best Western guest information is grossly unsubstantiated.
Claims reported about our Central Reservations customer records are not accurate.
We at Best Western take the confidentiality of our customers' personal information very seriously.
The Sunday Herald reporter brought to our attention the possible compromise of a select portion of data at a single hotel; we investigated immediately and provided commentary.
Best Western would have welcomed the opportunity to fact-check the story, which would have resulted in more accurate and credible reporting on the part of the newspaper.
We have found no evidence to support the sensational claims ultimately made by the reporter and newspaper.
[Evan] You have to admit that the news report does seem pretty sensational.
Most importantly, whereas the reporter asserted the recent compromise of data for past guests from as far back as 2007, Best Western purges all online reservations promptly upon guest departure.
[Evan] Is this purge process documented and verified?
We comply with the Payment Card Industry (PCI) Data Security Standards (DSS).
[Evan] This is good, but it does not offer any guarantee that information confidentiality will not be compromised.
To maintain that compliance, Best Western maintains a secure network protected by firewalls and governed by a strong information security policy.
We collect credit card information only when it is necessary to process a guest's reservation; we restrict access to that information to only those requiring access and through the use of unique and individual, password-protected points of entry; we encrypt credit card information in our systems and databases and in any electronic transmission over public networks; and again, we delete credit card information and all other personal information upon guest departure.
[Evan] All of this is good, but does all this prevent a malware infection and trojan-horse installation on a machine used by someone that does require access? It seems conceivable that the reporter's claims could happen, right?
We regularly test our systems and processes in an effort to protect customer information, and employ the services of industry-leading third-party firms to evaluate our safeguards.
PCI requires the periodic evaluation, testing, and re-certification of compliance. To that end, our most recent internal review was conducted in August 2008, as was our most recent external test and review.
Best Western would like to assure our customers, member hotels and business partners that we have no evidence to suggest that there is need for widespread concern.
Customer inquiries should be directed to our US customer service team at 800 528-1238.
Commentary:
Obviously, we have conflicting information. One source is the news media (Sunday Herald) and the other source is the corporation itself. Both sources have vastly different motivations. Who to believe?
I could see how the Sunday Herald's story could happen, but I have a little doubt due to how sensational the report seems to be. I also question the one independent source and wonder if Prevx actually reported the story to the Sunday Herald as a way to draw attention to their company.
I can also see how Best Western would suffer some serious consequences if the Sunday Herald's report were true. It would definitely be in Best Western's best interests to minimize the impact of the report. We do know that something happened at Best Western by their own admission, but details are seriously lacking. The questions seem to surround details and impact. This breach (or non-breach) demonstrates the importance of a detailed incident response plan that includes all types of breaches (or non-breaches/hoaxes).
At the end of the day, I haven't a clue as to what happened in this incident.
Past Breaches:
Unknown
Date Reported:8/24/08
Organization:
Best Western International
Contractor/Consultant/Branch:
None
Victims:
Guests
Number Affected:
"estimated eight million"
Types of Data:
"private information including home addresses, telephone numbers, credit card details and place of employment"
Breach Description:
"EXCLUSIVE: Sunday Herald uncovers theft of data from every guest in 1300 Best Western Hotels in past 12 months
AN INTERNATIONAL criminal gang has pulled off one of the most audacious cyber-crimes ever and stolen the identities of an estimated eight million people in a hacking raid that could ultimately net more than £2.8billion in illegal funds."
BEST WESTERN REBUTTAL: PHOENIX, Aug 24, 2008 (BUSINESS WIRE) -- The story printed in the Sunday, August 24, 2008, Glasgow Sunday Herald claiming a security breach of Best Western guest information is grossly unsubstantiated.
Reference URL:
Sunday Herald (Scotland)
Best Western Response
vnunet.com
The Daily Mail
Business Wire via MarketWatch
Report Credit:
Iain S Bruce, Sunday Herald
Response:
From the online sources cited above:
EXCLUSIVE: Sunday Herald uncovers theft of data from every guest in 1300 Best Western Hotels in past 12 months
[Evan] It isn't clear is HOW the Sunday Herald uncovered this breach. Did somebody report it to them (likely), and if so, who?
AN INTERNATIONAL criminal gang has pulled off one of the most audacious cyber-crimes ever and stolen the identities of an estimated eight million people in a hacking raid that could ultimately net more than £2.8billion in illegal funds.
[Evan] Very sensational. 5+ billion (almost 6) US dollars.
A Sunday Herald investigation has discovered that late on Thursday night, a previously unknown Indian hacker successfully breached the IT defences of the Best Western Hotel group's online booking system and sold details of how to access it through an underground network operated by the Russian mafia.
[Evan] Even more sensational.
The attack scooped up the personal details of every single customer that has booked into one of Best Western's 1312 continental hotels since 2007.
the stolen data includes a range of private information including home addresses, telephone numbers, credit card details and place of employment
"They've pulled off a masterstroke here," said security expert Jacques Erasmus, an ex-hacker who now works for the computer security firm Prevx.
[Evan] This is the first I have heard of Jacques Erasmus and Prevx, not that this means much. There are probably 1000's of security companies I haven't heard of.
There are plenty of hacked company databases for sale online but the sheer volume and quality of the information that's been stolen in the Best Western raid makes this particularly rare.
The Russian gangs who specialise in this kind of work will have been exploiting the information from the moment it became available late on Thursday night.
[Evan] Has there been any other independent verification of these claims?
Although the security breach was closed on Friday after Best Western was alerted by the Sunday Herald, experts fear that information seized in the raid is already being used to pursue a range of criminal strategies.
Although the nature of internet crime makes it extremely difficult to track the precise details of the raid, the Sunday Herald understands that a hacker from India - new to the world of cyber-crime - succeeded in bypassing the system's security software and placing a Trojan virus on one of the Best Western Hotel machines used for reservations.
The next time a member of staff logged in, her username and password were collected and stored.
[Evan] Unfortunately, this is a fairly common avenue of attack. A defense-in-depth approach (anti-virus on client, anti-virus at the gateway, intrusion detection/prevention, egress/ingress traffic monitoring, etc.) should detect and report on this type of access, if not prevent it altogether.
"Large corporate companies rely on anti-virus products to protect their infrastructure, but the problem with this approach is that these products only detect around 60% of threats out there. In the right hands, viruses can easily bypass these programs, as was the case here," explained Erasmus.
[Evan] Ah, a pitch. It just so happens that "Prevx CSI Business plus enterprise class security breach management. Finds, monitors and fixes the infections that breach your security."
The stolen login details were then put up for sale and shared on an underground website operated by a notorious branch of the Russian mafia, which specialises in internet crime and offers heavily guarded and untraceable hosting services with no questions asked for criminal activity.
[Evan] Which "notorious branch of the Russian mafia"?
Once the information was online, experts estimate that it would take less than an hour to write and run a software bot' - a simple computer programme - capable of harvesting every record on Best Western's European reservation system.
With eight million people staying in the hotel group's 86,375 continental rooms every year, gaining access to the system is a major coup for the cyber-criminals responsible. Given that criminals now have access to all bookings from 2007-2008, and based on the FBI-sponsored Internet Crime Complaint Center's reports that the average victim of internet crime loses £356, they are sitting on a potential haul of at least £2.84bn.
After thanking the Sunday Herald for exposing the raid on its systems, Best Western Hotels closed the breach at around 2pm on Friday afternoon.
[Evan] Did the Sunday Herald confirm this, or is this heresay?
Stressing that staff are fully aware of the potential seriousness of the attack, the company reassured customers that it is now taking appropriate action.
"Best Western took immediate action to disable the compromised log-in account in question. We are currently in the process of working with our credit card partners to ensure that all relevant procedural standards are met, and that the interests of our guests are protected," said a spokesman.
[Evan] Here it appears that Best Western is admitting that a compromise took place.
"We continue to investigate the root cause of the issue, including, but not limited to, the third-party website that has allegedly facilitated this illegal exchange of information."
Guests with concerns are advised to contact Best Western customer service at 0800 528-1238
Tim Wade, head of marketing for Best Western in Britain, said it was 'unlikely' the thieves got details of every booking in Europe because of the way their system worked.
He added: 'We are investigating further and working with our credit card partners to ensure the interests of our guests are protected.'
Last night a statement on the Best Western website said it did not believe British customers had been affected.
[Evan] To take it a step further, Best Western has issued a news release and posted an update on its website.
BEST WESTERN REBUTTAL:
"Best Western Responds to Sunday Herald Story Claiming Security Breach"
PHOENIX, Aug 24, 2008 (BUSINESS WIRE) -- The story printed in the Sunday, August 24, 2008, Glasgow Sunday Herald claiming a security breach of Best Western guest information is grossly unsubstantiated.
Claims reported about our Central Reservations customer records are not accurate.
We at Best Western take the confidentiality of our customers' personal information very seriously.
The Sunday Herald reporter brought to our attention the possible compromise of a select portion of data at a single hotel; we investigated immediately and provided commentary.
Best Western would have welcomed the opportunity to fact-check the story, which would have resulted in more accurate and credible reporting on the part of the newspaper.
We have found no evidence to support the sensational claims ultimately made by the reporter and newspaper.
[Evan] You have to admit that the news report does seem pretty sensational.
Most importantly, whereas the reporter asserted the recent compromise of data for past guests from as far back as 2007, Best Western purges all online reservations promptly upon guest departure.
[Evan] Is this purge process documented and verified?
We comply with the Payment Card Industry (PCI) Data Security Standards (DSS).
[Evan] This is good, but it does not offer any guarantee that information confidentiality will not be compromised.
To maintain that compliance, Best Western maintains a secure network protected by firewalls and governed by a strong information security policy.
We collect credit card information only when it is necessary to process a guest's reservation; we restrict access to that information to only those requiring access and through the use of unique and individual, password-protected points of entry; we encrypt credit card information in our systems and databases and in any electronic transmission over public networks; and again, we delete credit card information and all other personal information upon guest departure.
[Evan] All of this is good, but does all this prevent a malware infection and trojan-horse installation on a machine used by someone that does require access? It seems conceivable that the reporter's claims could happen, right?
We regularly test our systems and processes in an effort to protect customer information, and employ the services of industry-leading third-party firms to evaluate our safeguards.
PCI requires the periodic evaluation, testing, and re-certification of compliance. To that end, our most recent internal review was conducted in August 2008, as was our most recent external test and review.
Best Western would like to assure our customers, member hotels and business partners that we have no evidence to suggest that there is need for widespread concern.
Customer inquiries should be directed to our US customer service team at 800 528-1238.
Commentary:
Obviously, we have conflicting information. One source is the news media (Sunday Herald) and the other source is the corporation itself. Both sources have vastly different motivations. Who to believe?
I could see how the Sunday Herald's story could happen, but I have a little doubt due to how sensational the report seems to be. I also question the one independent source and wonder if Prevx actually reported the story to the Sunday Herald as a way to draw attention to their company.
I can also see how Best Western would suffer some serious consequences if the Sunday Herald's report were true. It would definitely be in Best Western's best interests to minimize the impact of the report. We do know that something happened at Best Western by their own admission, but details are seriously lacking. The questions seem to surround details and impact. This breach (or non-breach) demonstrates the importance of a detailed incident response plan that includes all types of breaches (or non-breaches/hoaxes).
At the end of the day, I haven't a clue as to what happened in this incident.
Past Breaches:
Unknown
Posts Atom 1.0
In a previous life I was one of the thousand consultants hired by Best Western to install the wireless infrastructure…The canned deployment guides never emphasized security and recommendations were always ignored. The wireless network was directly attached to the back office network (duh). This is one reason I never stayed at a BW. I recently visited “war drove” by a BW and security settings on the wireless are still the same.
Reply to this
"Large corporate companies rely on anti-virus products to protect their infrastructure...."
Certainly there's more than this. Any decent sized enterprise in today's hacker-prone world with all the compliance and security regulations will, at minimum and by policy, encrypt EVEY BIT of sensitive data--no matter its relationship to the firewall.
Reply to this