HomeBlogsMacRonin's blog

Best Western: 1 hotel, 1 log-on, 10 customers

August 26, 2008 - 1:27pm — MacRonin

Best Western: 1 hotel, 1 log-on, 10 customers - Via PogoWasRIght - Privacy News Headlines:

The following is an updated statement from Best Western, via email. Thanks to ITRC for sending us a copy.

This statement is intended to provide further detail on the largelyerroneous story originated by The Sunday Herald newspaper in Scotland,concerning the breach of Best Western's Central Reservations System.

We can confirm that on August 21, 2008, three separate attempts weremade via a single log-on ID to access the same data from a single hotel.The hotel in question is the 107-room Best Western Hotel am SchlossKopenick in Berlin, Germany, where a Trojan horse virus was detected bythe hotel's anti-virus software. The compromised log-in ID permittedaccess to reservations data for that property only. The log-in ID wasimmediately terminated, and the computer in question has been removedfrom use.

We can also confirm that we have been able to narrow down the number ofcustomers affected by this breach to ten. We are currently contactingthose customers and offering assistance as needed.

We are working with the FBI and international authorities to investigatefurther.

Points of note:

  • The compromised user ID permitted access only to thereservations at a single hotel, and there is no evidence of unauthorizedaccess to data for any other Best Western hotel.
  • Best Western purges reservations data within seven daysof guest departure, thereby limiting potential data exposure to (1)guests who departed up to one week prior to the exposure; (2) currentguests; and (3) future guests of that particular hotel.
  • There is no evidence of any unauthorized access to anyother customer data.

    • In the day-to-day conduct of our business, we comply with the PaymentCard Industry (PCI) Data Security Standards (DSS). To maintain thatcompliance, Best Western maintains a secure network protected byfirewalls and governed by a strong information security policy. Weregularly test our systems and processes in an effort to protectcustomer information, and employ the services of industry-leadingthird-party firms to evaluate our safeguards. We also delete creditcard information and all other personal information upon guestdeparture.

    Given the nature of IT security, absent evidence of actual attempts toenter our system without authorization, Best Western's highest level ofresponse must consist of the following: (1) to continue to monitor forsuch activity; (2) to assist law enforcement authorities and our creditcard partners with their investigation; (3) to amplify our alreadystringent data security regime, which is of course compliant with PCIstandards; (4) to reinforce best data protection practices at our 4000worldwide hotels. We are actively engaged in all four of these areas, onbehalf of our valued customers and member hotels.

    We will release other critical information as it becomes available.Customers with concerns are encouraged to call Best Western CustomerCare at US 800-528-1238.

    (Read Original Article - Via PogoWasRIght - Privacy News Headlines.)

    Editor: They are still using some wide open statements(ex. "no evidence of any unauthorized access", There never is), but at least this time they tried to actually address the issue at hand, and gave some specifics to think about.


    Bookmark/Search this post with: