Site Network: | | Jongsma & Jongsma

Innovation in Information Security

Coverage of important Information Security and Information Technology news and events from the research team at S?nnet Beskerming.

Username: | Password: Contact us to request an account

What Isn't Best Western Telling Us?

Reports of a recent data breach at Best Western were vigorously refuted by the company, but is there something else going on in the background that is not being acknowledged by the company?

From the initial reports, more than 8 million Best Western customers may have had their details captured following unauthorised system access. Best Western's assertions that only one hotel and 13 records being affected didn't attract many supporters, and their assertion that their adherence to PCI DSS requirements ensured customer safety was even less well received.

At the moment all that is happening is that the Glasgow Sunday Herald (and their source at Prevx) and Best Western have made contrasting claims on the incident and neither has provided much more by way of evidence of their claims. Claims that it is the World's biggest cyber heist, when it isn't by a long way, would put the burden of proof on the Sunday Herald.

The difference between 13 records and 8 million is significant, but is does raise the question as to how Best Western knew that it was only those few records that had been accessed. 13 just isn't the sort of number that people tend to make up when they are making vague claims about quantities. As reported by Best Western, it was antivirus software that managed to identify the trojan horse that had been installed to try and capture credentials at a single European Best Western hotel.

There are questions being asked about Best Western's claims that recorded credit card details are destroyed after a period of time and whether this claimed breach indicates a failure to adhere to Level One PCI DSS requirements (assuming they are top level PCI DSS), particularly the requirements for a Data Security Assessment and Quarterly Network Scan. Perhaps the rapid discovery of the breach and limited account access claimed by Best Western was achieved through adherence to this requirement, but there are not many who place much faith in this idea, or in the PCI DSS auditing requirements.

There is also the possibility that any breach was targeted at Identity Theft first, financial theft second, so the PCI DSS requirements aren't going to do much to stop that from happening.

How can Best Western ease a lot of concerned observers fears? If they re-issued their press release (or even a new one) identifying when and how the compromised system was identified and taken offline, and then acknowledged that the PCI DSS is only one means to protect sensitive data and forms part of a layered defence strategy then it would go a long way to achieving this goal.

It isn't often that the benefit of the doubt is given to a company involved in a data breach, but in this case it is leaning slightly towards Best Western. At the end of the day, Best Western has been tarnished by their response to this issue and if they can not adequately address the concerns identified above, then there is little else to do but assume that he worst outcome reported by the Sunday Herald is what happened. Of course, if the evidence of the attack is released by other means, then that, too, would validate the claims of one side.

29 August 2008

Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis

Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.

Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.

Comments will soon be available for registered users.