Print 31 comment(s) - last by diego10arg.. on Aug 27 at 10:41 AM

Massive data breach considered the world's largest yet

In what some are calling the biggest information heist in recent history, identity thieves managed to acquire a treasure chest of personal information on more than 8 million of hotel chain Best Western’s customers.

According to the Sunday Herald, the breach occurred late last Thursday when an unnamed Indian attacker found a way to gain access to Best Western’s reservations backend. Almost immediately, details were posted for sale on an underground marketplace reportedly run by Russian organized crime; buyers were able to use that information to download all of the system’s records from 2007 to 2008.

The Sunday Herald did not elaborate on how it identified the original poster to be Indian,  the possibility of a probe to identify him or her, nor whether Best Western officials reported the heist to police.

Data thieves acquired nearly complete reservation details on each of Best Western’s 1312 continental European locations, which included data on customers’ names, addresses, credit card numbers, telephone numbers, places of employment, and specific reservation dates – past, present, and future. In addition to the regular fears regarding identity theft, the Sunday Herald speculates that the pilfered data could be used to create regional “burglary kits,” which contain the addresses of homes in an area and dates that their owners will not be present.

The unknown Indian hacker acquired login credentials to Best Western’s system after he installed a Trojan horse on one of its reservation computers -- “The next time a member of staff logged in, her username and password were collected and stored,” reads the report.

Best Western says it closed the hole Friday afternoon, after being tipped off by Sunday Herald reporters.

Security experts expressed surprise at the quality of data the breach offered. “They've pulled off a masterstroke here,” says Jacques Erasmus of security firm Prevx. “There are plenty of hacked company databases for sale online but the sheer volume and quality of the information that's been stolen … makes this particularly rare.”

“The Russian gangs who specialize in this kind of work will have been exploiting the information from the moment it became available late on Thursday night. In the wrong hands, there's enough data there to spark a major European crime wave,” he said.

A Best Western representative said his company immediately took action to close the breach, and will “continue to investigate the root cause of the issue, including, but not limited to, the third-party website that has allegedly facilitated this illegal exchange of information.”

News of the heist comes just weeks after the announced arrest of an unnamed data theft ring responsible for more than 40 million stolen credit card numbers, including the infamous 2005 breach against T.J. Maxx and Marshalls parent company TJX.

The Sunday Herald estimates the stolen data to be worth more than £2.84B ($5.24B USD).

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

Lesson Learned
By nomagic on 8/25/2008 5:44:36 AM , Rating: 3
Never trust a company with your personal information.

RE: Lesson Learned
By Cullinaire on 8/25/2008 6:09:38 AM , Rating: 3
Yes, throw away all of your credit cards, IDs, checkbooks, etc. Pay for your hotel bills in ones.

Move to Sealand.

RE: Lesson Learned
By Schadenfroh on 8/25/2008 7:14:47 PM , Rating: 2
No, that paper money is marked. You have to use silver dollars.

RE: Lesson Learned
By oab on 8/25/2008 8:49:38 PM , Rating: 2
Or gold coins

RE: Lesson Learned
By threepac3 on 8/25/2008 8:32:14 AM , Rating: 4
Yup, also you should never leave your house, and by house I mean cave.

RE: Lesson Learned
By AntiM on 8/25/2008 8:41:28 AM , Rating: 5
I've always wondered why they need your home address when making a reservation anyway. I can't see any reason why they would NEED that kind of information.
As for credit card numbers,
I think it's about time for governments and credit card companies to start cracking down on merchants that accept un-validated CC #s. The 3 digit card security code should always be required and requiring proof of ID when accepting CCs in a brick and mortar store. The practice of companies storing CC info should be outlawed as well; after the transaction is complete, they have no reason to retain your CC info unless you give them consent. Plus, to store CC info along with name and address info is just plain stupid. To store CC and identification information on an unsecured network is just plain criminal.

RE: Lesson Learned
By Mitch101 on 8/25/2008 9:55:31 AM , Rating: 2
I've literally been begging for a Keyfob/Secure ID to be issued with credit cards. Heck if World of Warcraft can sell them for $8.00 to protect a virtual character in an imaginary world from thieves then why not credit card companies? Then you could go ahead and steal my credit card number but it would be useless without the keyfob to verify the authorization.

RE: Lesson Learned
By HsiKai on 8/25/2008 11:51:15 AM , Rating: 1
That's a good idea in theory, but it raises several security questions; for instance, would credit card companies spring for high-level encryption? Even 512-bit isn't unbreakable, but would be a good deterrent to casual hackers, though it would not stand up against large or government-level operations. Once they figure out one key, wouldn't that streamline the process for stealing every generated ID issued by that credit card company? Hardware encryption would probably take less time to reverse-engineer or just straight copy for the use of fake credit-IDs.

The only secure way I can think of is to have biometric readers built into the credit card and bank-teller machines and there would be a "scannable" fingerprint on the card itself (to authenticate against your own). Even then some people wouldn't want to have their fingerprint on something that could be lost so easily. Though if you did lose it you could simply cancel the card and use a different finger on the replacement.

RE: Lesson Learned
By Mitch101 on 8/25/2008 12:31:02 PM , Rating: 2
Biometrics would be defeated instantly because your finger print or retina never changes and would be broken into nothing but an image of 1's and 0's. The only way that method would work for a little while is if each teller machine had a different algarithm but even then once your finger print is captured as 1's and 0'2 it wont matter.

With a SecureID its constantly changing numbers about every 15-20 seconds. Even if I had a copy of your credit card number there is no easy way to determine what your keyfob's number currently is without stealing it too.

Some people call them tokens but you see they make a credit card style version.

Its much better than the three digit security code which once someone has that its just that same as having your complete credit card number.

An outside variable that constantly changes is the only viable solution.

RE: Lesson Learned
By marvdmartian on 8/25/2008 9:56:56 AM , Rating: 2
Good start you've got going there. Now let's add to it:
1. Make corporations that do store personal data financially liable to the people whose data is stolen from their computer networks. Right now, there's really no reason why they should bother spending any significant amount of money on security for their computer systems, since all that happens is they get a temporary black eye when that data is stolen, which is quickly forgotten by the public.
2. Increase the punishment for the hackers involved in obtaining personal information from corporate computer systems. If you make the stakes for getting caught high enough, you might reduce the possibility of it happening in the future. Sure the victims of identity theft might not see much more than a temporary discomfort in their lives from the actions of an identity theif, but in cases like this, the cumulative effect would he pretty high. I'm thinking that when they're caught, they be given the choice between working for the "good guys", to help keep it from happening again, or the death penalty.
3. Stop every company that feels as though they need it from requiring your social security number to obtain service from them. I mean, isn't it ridiculous that the power company needs your SSN in order to provide you electricity?? To be honest, the only two entities that need your SSN is the government (IRS, Social Security office, etc) and your employer (to make certain the deductions from your check are credited correctly). I can't for the life of me think of anyone else who should have the right to have your SSN, especially stored on their "secure" network.

RE: Lesson Learned
By glennpratt on 8/25/2008 3:45:10 PM , Rating: 2
You want the state to KILL people for hacking? Wow, that would be a sad day.

RE: Lesson Learned
By Denithor on 8/25/2008 6:04:07 PM , Rating: 2
Not only that, how the hell would you enforce something like that in the international community? I mean, I'm all for putting murderers to death (and rapists & child molesters, if truth be known) but most countries don't even allow the death penalty for those crimes, let alone something like hacking (although this can disrupt many, many people's lives to the same degree as a murder or physical rape).

RE: Lesson Learned
By Solandri on 8/25/2008 1:30:07 PM , Rating: 3
I've always wondered why they need your home address when making a reservation anyway. I can't see any reason why they would NEED that kind of information.

The address is needed because the credit card companies have set up a system where if a charge is disputed, it's up to the merchant to prove that the charge is legit, or else the charges are reversed. So the merchant takes two steps which require the address.

1. When processing the charge, it verifies the CC# with the billing address, and only approves the transaction if the address is correct. This prevents a thief who lifted the card number but doesn't know the address from making a transaction. (The security number works the same way, although it can be gotten by simply taking a picture of the card.)

2. If a charge is disputed, having as much information as they can on the customer helps the merchant validate their claim that the charge is legit. They won't say how they decide a dispute, so merchants try to collect and save everything they can. Of course the persuasive weight of this evidence is reduced if there are lots of cases of information theft as in the article.

The whole credit card industry is a group of middlemen who've managed to insert themselves into the majority of the world's financial transactions, while shifting most of the risk to the merchant or customer. With modern computers and networks, each credit card transaction could be done at the cost of a fraction of a cent, yet they still charge 2-5 cents and approx 2.5% of each transaction. Essentially they're grabbing 1-2% of each retail businesses' revenue for virtually no work or risk.

The lackadaisical attitude towards credit card number security is also a result of this - the major credit card companies don't care about credit card fraud because they bear almost none of the risk. If you successfully dispute a charge (from say a stolen CC used by a thief to buy something), the merchant usually ends up eating the loss. A lot of laws initially put in place to encourage the adoption of credit cards (like not being able to charge a fee for using a credit card) need to be repealed, and some heavy anti-trust investigations done on the industry.

No lawsuit against Best Western Yet?
By ScottHardy on 8/25/2008 10:29:21 AM , Rating: 2
I GUARANTEE you that we'll see a class action lawsuit against Best Western within the next seven days. Looking at the history of these cases over the past few years we can expect a settlement in the $50 - $100,000,000 range. Yes, that's right. It'll be costing Best Western tens of millions of dollars to pay for this security hole.
Ross and dd's DISCOUNTS just shelled $1.25 million dollars over a security hole (cash settlement, details here
and of course there's another settlement here
for a similar security issue which ended up costing the companies $6.5 million in attorney fees alone.

What will Best Western end up shelling out for a security hole that could have been identified for less then $100,000 in security consulting fees? We'll see...

Warm Regards,
Scott Hardy

RE: No lawsuit against Best Western Yet?
By Joz on 8/25/2008 10:40:09 AM , Rating: 1
rated down and comment:

Trying to put your name up there, eh?
I'd rather class action lawsuit any asshole lawyer that put his name up this fast. Hes the one that probaly helped the indian hacker by staying at best western and putting the trojan on the computer(s)

RE: No lawsuit against Best Western Yet?
By EricMartello on 8/25/2008 1:03:15 PM , Rating: 2
Oh shnap we got the remaining Hardy Boy on this case!! Let me know when the paperback is out.

By ScottHardy on 8/25/2008 5:32:04 PM , Rating: 2
Doggone it. . . Where's Nancy Drew when I need her? ;)

A few orders of magnitude
By Sc4freak on 8/25/2008 5:31:37 AM , Rating: 2
£2.84bn ($5.24m USD)

I think you're off by a few orders of magnitude there. ;)

RE: A few orders of magnitude
By jtesoro on 8/25/2008 6:05:23 AM , Rating: 2
How do they even quantify the value of this? If someone bought all that data, do we really expect them to generate more than $5 billion off of it?

RE: A few orders of magnitude
By inighthawki on 8/25/2008 7:26:00 AM , Rating: 2
Perhaps they have it measured by the number of credit card numbers obtained and by how much each card can use; thought it still looks a little low...

I guess
By dickeywang on 8/25/2008 6:42:23 AM , Rating: 4
This means we will see more Nigeria princes with European mailing addresses?

RE: I guess
By Denithor on 8/25/2008 6:18:22 PM , Rating: 2
Yep, set up with a fancy new OLPC diverted to more profitable purposes. Or maybe the kids will be the ones using these new laptops for this purpose? Good quality education in hacking?

By Spivonious on 8/25/2008 10:02:30 AM , Rating: 2
All Best Western had to do was encrypt the data for storage. Then just have the Best Western front-end do the decrypting and the hackers just get a bunch of gobbledygook.

RE: Dumb
By Ratinator on 8/25/2008 12:28:07 PM , Rating: 2
Or better yet, just not store the credit card information at all. It isn't necessary.

RE: Dumb
By diego10arg on 8/27/2008 10:41:20 AM , Rating: 2
Maybe their actual Central Reservation System does not support PCI Compliance.

Amount of information stolen is inaccurate
By Gogeta4832 on 8/25/2008 1:20:06 PM , Rating: 2
I happen to work at a Best Western Hotel in my town and saw the fax regarding this yesterday morning. First off, there is no way that they made off with any information from 2007 at all and only limited information inside 2008.

All reservations and information is purged 24 hours after the guest is scheduled to check out of the hotel. And it's an annoying fact for employees when trying to retrieve information on guests for internal purposes.

So unless they hacked each hotel for backdated information, they are not going to get anything other than current information, which, while a problem yes, is not near the amount they claim to have stolen.

By kontorotsui on 8/26/2008 4:15:23 AM , Rating: 2
And it's an annoying fact for employees when trying to retrieve information on guests for internal purposes.

Internal purposes like the name, marital status and especially address on the hottie from room 406? Must be very annoying missing those details.

Anyone else find this weird?
By PointlesS on 8/25/2008 10:21:28 AM , Rating: 3
Best Western says it closed the hole Friday afternoon, after being tipped off by Sunday Herald reporters.

they didn't know they were hacked until some reporter told them?

By kmmatney on 8/25/2008 12:28:25 PM , Rating: 2
The funny thing is, this operation didn't really need a hack - you just need to give a corrupt hotel employee (e.g. the late night shift person) a small bribe for the logon details. How did the trojan horse get on the computer to begin with?

Name Change
By EricMartello on 8/25/2008 1:00:35 PM , Rating: 2
I hereby declare 'Best Western' is now "Could do Worse Western". "We no longer accept customers with information."

“So far we have not seen a single Android device that does not infringe on our patents." -- Microsoft General Counsel Brad Smith
Related Articles

Most Popular ArticlesSmartphone Screen Protectors – What To Look For
September 21, 2016, 9:33 AM
UN Meeting to Tackle Antimicrobial Resistance
September 21, 2016, 9:52 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM
5 Cases for iPhone 7 and 7 iPhone Plus
September 18, 2016, 10:08 AM
Update: Problem-Free Galaxy Note7s CPSC Approved
September 22, 2016, 5:30 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki