In what some are calling the biggest information heist in recent history, identity thieves managed to acquire a treasure chest of personal information on more than 8 million of hotel chain Best Western’s customers.
According to the Sunday Herald, the breach occurred late last Thursday when an unnamed Indian attacker found a way to gain access to Best Western’s reservations backend. Almost immediately, details were posted for sale on an underground marketplace reportedly run by Russian organized crime; buyers were able to use that information to download all of the system’s records from 2007 to 2008.
The Sunday Herald did not elaborate on how it identified the original poster to be Indian, the possibility of a probe to identify him or her, nor whether Best Western officials reported the heist to police.
Data thieves acquired nearly complete reservation details on each of Best Western’s 1312 continental European locations, which included data on customers’ names, addresses, credit card numbers, telephone numbers, places of employment, and specific reservation dates – past, present, and future. In addition to the regular fears regarding identity theft, the Sunday Herald speculates that the pilfered data could be used to create regional “burglary kits,” which contain the addresses of homes in an area and dates that their owners will not be present.
The unknown Indian hacker acquired login credentials to Best Western’s system after he installed a Trojan horse on one of its reservation computers -- “The next time a member of staff logged in, her username and password were collected and stored,” reads the report.
Best Western says it closed the hole Friday afternoon, after being tipped off by Sunday Herald reporters.
Security experts expressed surprise at the quality of data the breach offered. “They've pulled off a masterstroke here,” says Jacques Erasmus of security firm Prevx. “There are plenty of hacked company databases for sale online but the sheer volume and quality of the information that's been stolen … makes this particularly rare.”
“The Russian gangs who specialize in this kind of work will have been exploiting the information from the moment it became available late on Thursday night. In the wrong hands, there's enough data there to spark a major European crime wave,” he said.
A Best Western representative said his company immediately took action to close the breach, and will “continue to investigate the root cause of the issue, including, but not limited to, the third-party website that has allegedly facilitated this illegal exchange of information.”
News of the heist comes just weeks after the announced arrest of an unnamed data theft ring responsible for more than 40 million stolen credit card numbers, including the infamous 2005 breach against T.J. Maxx and Marshalls parent company TJX.
The Sunday Herald estimates the stolen data to be worth more than £2.84B ($5.24B USD).
quote: I've always wondered why they need your home address when making a reservation anyway. I can't see any reason why they would NEED that kind of information.
quote: £2.84bn ($5.24m USD)
quote: And it's an annoying fact for employees when trying to retrieve information on guests for internal purposes.
quote: Best Western says it closed the hole Friday afternoon, after being tipped off by Sunday Herald reporters.