Fog of attack clouds Best Western hack

Analysis Conflicting claims by Best Western and Glasgow's Sunday Herald over the scope of a recent security breach have been put under the microscope by security watchers. The paper claims that eight million records were potentially exposed, while the hotel insists only ten records were accessed.

Register readers familiar with Best Western systems said that the issue turns on whether the compromised PC was able to access the hotel chain's worldwide reservation system or only local data. The issue of whether archived data on guest records was accessible from the infected PC also comes into play.

According to the Herald, an Indian hacker sold information on how to access addresses, telephone numbers and credit card details from the hotel's online booking system after breaking into the system. Tips on how to repeat the hack were offered for sale on a Russian underground hacking forum.

The paper claimed anyone who stayed at any of 1,312 European Best Western since last year - eight million people in all - could have been hit by the attack. All wrong, retorted Best Western: it maintains the breach affected only one hotel in Germany and just ten customer records. The hotel chain said it has tracked down the breach to the infection of a PC in a single Berlin hotel with Trojan horse malware.

In a statement, Best Western explained: "The compromised log-in ID permitted access to reservations data for that property only. The log-in ID was immediately terminated, and the computer in question has been removed from use."

Herald technology editor Iain Bruce brought the breach to Best Western's attention in the first place. He waited till the hotel had a chance to close the hole before publishing a story, containing a quote from Best Western.

Since then the two have fallen out big style, with Best Western claiming the Herald's numbers (based on how many people stayed at the hotel over the course of a year) are a load of dingo's kidneys. The hotel angrily denounced the Herald's story, suggesting its reporter had failed to check his facts.

However, Bruce told ITWire that he put the figures to the hotel prior to publication. He said he derived the figure of eight million from the fact that the hacker offered Best Western's entire European reservation database system for sale, not just a few snippets from a Berlin hotel.

Bruce shared screenshots of the database interface with ITWire reporter Davey Winder. The interface covered the whole of Europe and had a date range running from 14 August 2007 until 21 August 2008. It included guest names and payment details.

The screenshot shows just a handful of transactions. Best Western said that data on its guests is purged from its systems a week after they leave the hotel.

If that's the case, Winder considers, why does the transaction log go back a year? Respondents to the story may have an answer for that: the system allows guests to reserve rooms for up to a year. That still leaves the big question of whether the hack allowed Europe-wide access to the hotel's reservation system or just access to the local database, as Best Western claims.

Opinion from Regreaders knowledgable about Best Western's system is split. One of our readers anonymously suggests that the hacker did not gain access to the central database, but only to an individual hotel's computer application.

"As a former IT employee for Best Western (who left recently on good terms) I can confirm that everything Best Western is saying about this incident is true. I still have friends "on the inside", so-to-speak, who confirmed (off-the-record, of course) that a hotel front desk clerk's login ID and password for the 'MemberWeb' system were stolen by a password stealing Trojan (this "MemberWeb system is what allows front desk staff to check on incoming reservations and adjust rates and availability - among many other things)," he wrote.

"The account that was compromised had *very* limited access to the MemberWeb system, so at most, the hacker was able to glean a handful of records from the 'Transaction Log' feature (looking into the account's access history is what showed that it was only 10 records that were actually accessed by the attacker)."

However, another correspondent said that reception desk PCs have access to bookings made at Best Western hotels in other countries, casting doubt that the compromise was limited.

"I have watched as a hotel in Leicester canceled a guest's stay at a hotel in Linz and rebooked him in a hotel in Vienna. At no point was the hotel in Linz informed of this other than via MemberWeb. This was done with a standard MemberWeb login and no reservation numbers - a simple search for the guest's name sufficed. This would seem to contradict BW's statement that 'The compromised user ID permitted access only to the reservations at a single hotel'."

Our man also questioned claims that Best Western purge customer records a week after guests leave its hotels, and explained the system gives access to complete payment details.