Daily cyber threats and internet security news: network security, online safety and latest security alerts
August 25th, 2008

Best Western Hotel Online Booking Breached, 8 Million Victims In Personal Data Theft

Criminal gang has stolen the identities of an estimated eight million people in a hacking raid that could ultimately net more than £2.8billion in illegal funds. Thursday night, an unknown hacker, possibly Indian, successfully breached the IT defences of the Best Western Hotel group’s online booking system and sold details of how to access it through an underground network operated by the Russian mafia.

The attack scooped up the personal details of every single customer that has booked into one of Best Western’s 1312 continental hotels since 2007. With eight million people staying in the hotel group’s 86,375 continental rooms every year, gaining access to the system is a major coup for the cyber-criminals responsible. Given that criminals now have access to all bookings from 2007-2008, and based on the FBI-sponsored Internet Crime Complaint Center’s reports that the average victim of internet crime loses £356, they are sitting on a potential haul of at least £2.84bn.

Amounting to a complete identity-theft kit, the stolen data includes a range of private information including home addresses, telephone numbers, credit card details and place of employment. It seems that the hacker from India succeeded in bypassing the system’s security software and placing a Trojan virus on one of the Best Western Hotel machines used for reservations. The next time a member of staff logged in, her username and password were collected and stored.

The stolen login details were then put up for sale and shared on an underground website operated by a notorious branch of the Russian mafia, which specialises in internet crime and offers heavily guarded and untraceable hosting services with no questions asked for criminal activity. Once the information was online, experts estimate that it would take less than an hour to write and run software capable of harvesting every record on Best Western’s European reservation system.

Although the security breach was closed on Friday, experts fear that information seized in the raid is already being used to pursue a range of criminal strategies. There are plenty of hacked company databases for sale online but the sheer volume and quality of the information that’s been stolen in the Best Western raid makes this particularly rare. The Russian gangs who specialise in this kind of work will have been exploiting the information from the moment it became available late on Thursday night. In the wrong hands, there’s enough data there to spark a major European crime wave. Armed with the numbers and expiry dates of customers’ credit cards, fraudsters are equipped to make multiple high-value purchases in their victims’ names before selling on the goods.

The stolen data might also be used by professional organised criminal gangs which specialise in identity theft to apply for loans, cards and credit agreements in the victims’ names. Because the compromised information included future bookings, the gang now has the capacity to sift through the data and sell “burglary packs”, giving the home addresses of local victims and the dates on which they are expected to be away from their home.

Best Western Hotels closed the breach at around 2pm on Friday afternoon. Stressing that staff are fully aware of the potential seriousness of the attack, the company reassured customers that it is now taking appropriate action. The investigation also include the third-party website that has allegedly facilitated this illegal exchange of information.

Concerned clients are advised to contact Best Western customer service at 0800 528-1238.

Credit: Sunday Herald

Update (August 29): Best Western rejected claims that it had suffered a massive compromise of customer details.  Best Western confirmed on Tuesday that it had suffered a breach at one of its German hotels, but denied Sunday Herald claims that every customer using Best Western European hotels since 2007 had had their booking details compromised.

“We can confirm that on 21 August, 2008, three separate attempts were made via a single logon ID to access the same data from a single hotel,” said Best Western in a statement. “The hotel in question is the 107-room Best Western Hotel am Schloss Kopenick in Berlin, Germany, where a Trojan horse virus was detected by the hotel’s antivirus software.”

Best Western insisted that the compromised login ID only permitted access to reservations data for the Berlin hotel. Moreover, Best Western said the login ID was immediately terminated, and the computer in question had been removed from use.

While the Sunday Herald estimated that eight million people had been affected by the hack, Best Western claimed that only 10 customers had been affected. Moreover, Best Western said that it “purges reservations data within seven days of guest departure, thereby limiting potential data exposure”. The company added that it was working with the FBI and international authorities to investigate the incident further.

Share this item with others:

More on CyberInsecure:
  • HEI Hotels & Resorts Point-of-Sale Systems Breached, Credit Card Data Stolen
  • Hackers In Taiwan Compromised 50 Million Personal, Government And Firms Records
  • Zero-Day Internet Explorer Vulnerability Exploited In Targeted Email Attacks
  • Honda Suffers Data Breach, Personal Information Of 283,000 Customers Exposed
  • Sony Second Data Breach Expose Over 24 Million Personal And Financial Records

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Best Western Hotel Online Booking Breached, 8 Million Victims In Personal Data Theft

    2 Responses to “Best Western Hotel Online Booking Breached, 8 Million Victims In Personal Data Theft”

    1. Benjamin Wright Says:
      August 25th, 2008 at 12:35 pm

      Best Western now says only a handful of records were compromised, not millions. Data security investigations are complex, and they require patience. As we learned from the TJX experience, it is easy for the press and for authorities to over-react. -Ben

    2. CyberInsecure Says:
      August 25th, 2008 at 1:08 pm

      One source is the Sunday Herald and the other is the corporation itself. They obviously have vastly different motivations. At this point, it is hard to decide who to believe and who reports the truth.

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.