Privacy Digest

Fog of attack clouds Best Western hack - Via The Register(UK):

Conflicting claims by Best Western and Glasgow's Sunday Herald over the scope of a recent security breach have been put under the microscope by security watchers. The paper claims that eight million records were potentially exposed, while the hotel insists only ten records were accessed.

Register readers familiar with Best Western systems said that the issue turns on whether the compromised PC was able to access the hotel chain's worldwide reservation system or only local data. The issue of whether archived data on guest records was accessible from the infected PC also comes into play.

[...]

In a statement, Best Western explained: "The compromised log-in ID permitted access to reservations data for that property only. The log-in ID was immediately terminated, and the computer in question has been removed from use."

Herald technology editor Iain Bruce brought the breach to Best Western's attention in the first place. He waited till the hotel had a chance to close the hole before publishing a story, containing a quote from Best Western.

Since then the two have fallen out big style, with Best Western claiming the Herald's numbers (based on how many people stayed at the hotel over the course of a year) are a load of dingo's kidneys. The hotel angrily denounced the Herald's story, suggesting its reporter had failed to check his facts.

However, Bruce told ITWire that he put the figures to the hotel prior to publication. He said he derived the figure of eight million from the fact that the hacker offered Best Western's entire European reservation database system for sale, not just a few snippets from a Berlin hotel.

Bruce shared screenshots of the database interface with ITWire reporter Davey Winder. The interface covered the whole of Europe and had a date range running from 14 August 2007 until 21 August 2008. It included guest names and payment details.

The screenshot shows just a handful of transactions. Best Western said that data on its guests is purged from its systems a week after they leave the hotel.

If that's the case, Winder considers, why does the transaction log go back a year? Respondents to the story may have an answer for that: the system allows guests to reserve rooms for up to a year. That still leaves the big question of whether the hack allowed Europe-wide access to the hotel's reservation system or just access to the local database, as Best Western claims.

Opinion from Regreaders knowledgable about Best Western's system is split. One of our readers anonymously suggests that the hacker did not gain access to the central database, but only to an individual hotel's computer application.

(Read Original Article - Via The Register(UK) .)