Hackers breach Best Western in data heist

Hackers have broken into the corporate databases for best Western Hotels and may have stolen the names, addresses and credit card information of every customer who stayed with the international group since 2007.

An investigation by the Sunday Herald found that an unknown Indian hacker got into Best Western's databases on Thursday and accessed its databases, which contain the names, addresses, credit card numbers and additional customer's information of people who have used the chain internationally.

"Best Western took immediate action to disable the compromised log-in account in question. We are currently in the process of working with our credit card partners to ensure that all relevant procedural standards are met, and that the interests of our guests are protected," said a spokesman.

"We continue to investigate the root cause of the issue, including, but not limited to, the third-party website that has allegedly facilitated this illegal exchange of information."

The data on how to get into the database was apparently provided by an Eastern European hacking group and although the security hole the hacker used has now been closed the potential losses to customers could be huge.

View: Vnunet

Report a problem with article
Previous Story

BurnAware Free 2.1

Next Story

iTech Bluetooth Virtual Keyboard Review

40 Comments

Commenting is disabled on this article.

And see thats why i wont have a credit card if you cant pay cash or chq (personal or travelers) go somewhere else. the other thing is why do they need to hold my details for so damn long if after a month there's no discrencies then delete it please. i dont see why that cannot happen and it would be much more secure than the previous situation instead of millions they'd only get if at all a few thousand and the offending company get investigated to see why it was able to be hacked and charged if it was found to be negligent in its security of personal data

Surely Best Western would be in breach of the PCI DSS - Payment Card Industry Data Security Standard.

Working for a software development company who designs Hotel Reservertion Management Software in the Hotel Industry I am very much aware of the requirements of this standard that specifically state how credit card numebrs can be stored and for how long.
I belive that there are massive fines for clear breaches of the standard - not to mention the potential to loose their merchant facilities.

PCI DSS on Wikipedia

I really don't understand why that would want to store this information. Maybe it's just done.

I work in a shop that keeps all the credit card slips which have to numbers on them. Imagine if they got stolen....

Forgiven

We just all have to realise that the colour of ones skin cannot determine their political beliefs, religion or even the country that they are from.

Yes, Indian folks do have a similar race to some middle eastern countries that the USA is at wars with, however there is no hostility between Indian and the western world.

My mother and father are Indian. However my mother lived all her life in the UK and I was born here and I have never even visited India. I have actually lived longer in the Western World than some people that say racists things to me. I feel as British/Irish (living in Northern Ireland here lol) as any other person in this province.

Well if an Indian broke into Best Western, should we have some teenager break in the Best Mid-Eastern in response?
(Ba da boom -tiss)

You idiot.

India is not in the middle east. It is in South Asia.

I am not having a dig at you however I hate the world's ignorrance when it comes to racial groups.

"Oooooh Indians...similar race to some terriosts....lets bomb them"

(jonnytabpni said @ #14.1)
You idiot.

India is not in the middle east. It is in South Asia.

I am not having a dig at you however I hate the world's ignorrance when it comes to racial groups.

"Oooooh Indians...similar race to some terriosts....lets bomb them" :(

Hey chickey pie
Ba Da Boom Tiss.... Does that sound like a "Rim shot"?
You must have been disgusted with Harold and Kumar movies
And who cares what you interpret from my comment.
So ....... get a hooka, a flute, a wicker basket full of snakes, wrap a bath towel around your head and calm down

Geeez some people are so stiff these days

Not having a dig at you but I dont even know if there is a Best Eastern...or a Best South Asia... it was a play on words

(jonnytabpni said @ #14.1)
You idiot.

India is not in the middle east. It is in South Asia.

I am not having a dig at you however I hate the world's ignorrance when it comes to racial groups.

"Oooooh Indians...similar race to some terriosts....lets bomb them" :(

Lets bomb the "terrorists race"

You're aren't too bright either.

(atari800 said @ #13.2)

Hey chickey pie
Ba Da Boom Tiss.... Does that sound like a "Rim shot"?
You must have been disgusted with Harold and Kumar movies
And who cares what you interpret from my comment.
So ....... get a hooka, a flute, a wicker basket full of snakes, wrap a bath towel around your head and calm down

Geeez some people are so stiff these days

Not having a dig at you but I dont even know if there is a Best Eastern...or a Best South Asia... it was a play on words

OMG your just proving my point even more. For a start, Indians tend not to wear towels around their head. But anyway, I don't really care what you think. Thank Goodness that there are many people in the world who are bigger than you who just know not to say such offensive stupid thing.

I *could* bring up the stupid amercian thing (assuming that you are amercian - hey you made some wrong assumptions too) but I won't coz I have faith in the human race and that not everyone's personality can be sterotyped by their racial group.

Tip to the world: Stop judging each other by the colours of ones skin. Not all Amercian are stupid. Not all brown coloured folks are related to or from the same country as each other. I hate this world of ignorrance. Let's try and do something to stop it

Oh well, looks like I've got to phone the bank and request a new card I doubt I'll stay at the Best Western chain again. I hope this ensures other companies tighten their security using securid's and proper anti-virus software to stop this happening.

Companies are responsible for the data they keep and thus should be sued when a security breach occurs. There is no reason to store data in a way that hundreds of thousands of records can easily be downloaded....

(imachip said @ #13)
Oh well, looks like I've got to phone the bank and request a new card I doubt I'll stay at the Best Western chain again. I hope this ensures other companies tighten their security using securid's and proper anti-virus software to stop this happening.

Companies are responsible for the data they keep and thus should be sued when a security breach occurs. There is no reason to store data in a way that hundreds of thousands of records can easily be downloaded....


it is not best western chain or other company, it is only whom hacker want to go for.
companies should try to provide good security to their data.
war between evil and good will remain there.

The hacker "is" indian because they can track the registry and look who accesses (the IP) the database, with the IP is possible to determine the location of the hacker and, with the date/time is also possible to determine where was done the connection. Of course, only a fool will try to hack a system without hiding/spoofing their own ip, so yes, this "indian" can be any person, from other country or even a former/actual Best Western employee and usually the hack are from the inside.

nice...but I have to ask the same questoin Don Matteo asked "how'd they know the hacker was indian...?!!??" And why oh..why, would you store someone's information for so long?

I like how the icon for the article is the "bad windows" icon. I don't see anywhere in the article where it mentions Windows as the culprit. Perhaps Neowin should use a more neutral icon for these types of articles?

(Chrono951 said @ #6)
I like how the icon for the article is the "bad windows" icon. I don't see anywhere in the article where it mentions Windows as the culprit. Perhaps Neowin should use a more neutral icon for these types of articles?

+1. I thought I was the only one who noticed the Neowin Anti-Windows logo being used when there is absolutely no mention of which operating system in use. I guess we know where Neowin stands.

(s3n4te said @ #5)
Are Canadian customers affected?

I think so ... "...credit card information of every customer who stayed with the international group since 2007".

After the hacker downloaded all the information, he should of the wiped the system clean, so the customers couldn't be contacted.,

(warwagon said @ #4)
After the hacker downloaded all the information, he should of the wiped the system clean, so the customers couldn't be contacted.,

Have your ever thought that it's better not to say anything rather than to say something stupid? Have you ever heard a word "backup"? Might want to do a research of what it means.

(Andrey said @ #4.1)

Have your ever thought that it's better not to say anything rather than to say something stupid? Have you ever heard a word "backup"? Might want to do a research of what it means.

You're under the assumption that people stupid enough to hold unencrypted credit cards on a system open to hackers are smart enough to have a backup plan in place?? That's a large assumption.

A better answer would have been: Erasing customer records after stealing the information would have raised alarm as ANYONE would have noticed the change. By leaving it as is, the only people who would find out is the moron(s) that setup the system for the hackers to get in.

Very concerned. I have suspended their entire internet service for not securing their wireless network properly. Them, Holiday Inn and some others. No matter where you go, always be weary. There are "IT people" that are anything but that.

(Long said @ #2)
Why do they store credit card numbers?

Because they're idiots that want to get sued by their customers, I suppose...

(Webworldx said @ #2.2)

All stores do.


No they don't. Most stores would care little for maintaining that information. It's a liability. Most stores care about if your card is authorized, the amount approved, and the transaction captured by a 3rd party, and that's it.

I wonder why the card numbers weren't encrypted.

They store credit card numbers supposedly for the convenience of the customer. Say you're making a reservation at a hotel or hotel chain that you've stayed at before already, then they can just ask "would you like to hold the room on this card?"

And no, you don't have a choice. You can pay with cash, sure, but most places will still require a credit card to ensure things like room damages and smoking in a non-smoking room cleaning fees that people would otherwise just skip out on. And actually, I can tell you that most of the time, it is the people that pay with cash that do that for a reason; because they are expecting to trash the room and do other things they know they shouldn't be doing.

(excalpius said @ #1.1)
You can't. All hotels require the card to guarantee room charges etc. :(

I worked hotels and reservations, and yes you can. For many chains you have your room held until 5 pm as a courtesy of the hotel, after which late arrivals will only be guaranteed via CC. As far as room charges etc, its not that big of a deal to place cash on your account upfront at the hotel so you may make some purchases.

Its more work upfront if your willing to do it. Only down side is that for paying with cash you may be required pull out your Drivers License for copying the establishments record in the event the clerks screw up your account and allow you to overcharge/tear up the room etc.

All hotels accept Traveler's Cheques. They're like cash, only a bit more secure. You pay a premium to buy them, but they are backed by a big bank and/or credit card company and you have to countersign them before they can be cashed.

Banks and credit card companies don't like to tell people about Traveler's Cheques anymore because they make much more money keeping everyone in credit card debt.... but they still sell Traveler's Cheques.