Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Privacy Data Storage Security News

Best Western Loses Details On 8 Million Customers 180

Albanach writes "Scotland's Sunday Herald newspaper has an exclusive report that the Best Western hotel chain has lost the personal details of each and every guest who has stayed at any of its 1300 hotels in the past 12 months. This amounts to details on 8 million customers and includes information such as name, address, credit card details and employment details. The data even includes future booking details, causing speculation that homes could be targeted for burglary when it's anticipated they will be unoccupied. A Best Western spokesperson is quoted as saying 'Best Western took immediate action to disable the compromised log-in account in question. We are currently in the process of working with our credit card partners to ensure that all relevant procedural standards are met, and that the interests of our guests are protected.'"
This discussion has been archived. No new comments can be posted.

Best Western Loses Details On 8 Million Customers

Comments Filter:
  • by Renegade Lisp ( 315687 ) * on Sunday August 24, 2008 @07:45AM (#24725373)

    The Sunday Herald article is amazingly unclear about the scope of this breach. Which hotels are affected? The article says all "continental hotels". Does that, from a British Newspaper, mean european continental hotels only?

    I stayed at Best Western in the US late last year. Luckily, I have since then changed to a different credit card than the one I used at the time.

    The last time when a company I did business with lost my credit card details, I decided I wouldn't do anything about it until I really saw an unauthorized withdrawal from my account. Because in the past, when there was an unauthorized withdrawal (only happened to me once), a single phone call to the credit card company had been enough to get my money back (some 300 Euro). They said they would start to investigate it, but because it could take a long time, "here's your money back as a first measure."

    With the recently stolen card info, I got a notice from my bank a few months later that they had to disable my card because there was an attempt to commit fraud with it. I got a new card with no further action required on my part.

    Either way, this could turn out to be a big hassle for Best Western. If only they could let me know if my personal data was affected.

    • Re: (Score:3, Informative)

      by jrothwell97 ( 968062 )
      From a British newspaper, yes, 'continental' means 'European', as in a 'continental breakfast'.
      • by Carewolf ( 581105 ) on Sunday August 24, 2008 @08:08AM (#24725451) Homepage

        Well for brits, Continental means European except British.

        • Re: (Score:2, Informative)

          by yoghurt ( 2090 )

          No, jrothwell97 is right. The British do not consider themselves to be European. My British SO's family get indignant when you say they are Europeans. Thus, for the British, Continental is European.

          The Swedes, on the other hand, do consider themselves European, but not continental (despite the Scandinavian peninsula being attached through Finland to Russia).

          • I am British and I certainly consider myself European. However, I currently live overseas, so perhaps I am more inclined to take a more wordly view. Most Brits I have met seem to be quite happy that they are isolated from other European countries.

          • by sticky_charris ( 1086041 ) on Sunday August 24, 2008 @01:15PM (#24727181)
            We British do consider ourselves to be European. A minority of xenophobes in Britain consider themselves not to be European (or realise they are and would prefer not to be) and an even smaller number don't even consider themselves (or want to be) part of Britain - they are Scottish, Irish, Welsh or English in their eyes. I consider myself Scottish, British and European, and almost everyone I have met with an intelligence regard themselves in the same way.
    • Re: (Score:3, Funny)

      by jalet ( 36114 )

      > Either way, this could turn out to be a big hassle for Best Western. If only they could let me know
      > if my personal data was affected.

      They will : they've just decided to put the list of names, addresses, and credit card information of the compromised client records freely available online for you to check. For convenience, they've put these datas available for download as an Excel spreadsheet as well.

    • by Renegade Lisp ( 315687 ) * on Sunday August 24, 2008 @08:13AM (#24725465)

      Replying to myself, I just checked Wikipedia. Best Western [wikipedia.org] has 4,000 hotels world-wide, 2,000 of which in North America. This means that the 1,312 hotels affected are probably all in continental Europe.

      • BW themselves think that Britain is in Europe:

        http://www.bestwestern.com/newsroom/factsheet_detail.asp?FactID=4 [bestwestern.com]

        So that 1312 includes the UK.

        However, I'd be surprised if BW reps weren't able to access data worldwide (given that their web site handles worldwide bookings). Presumably the real answer to "what data was stolen" is "we don't know".

        • Presumably the real answer to "what data was stolen" is "we don't know".

          Mod parent up. I think that hits the nail on the head. Immediately when I read the article I wondered, why on earth do they keep the European data separate from the rest of the world? And, what's more, keep the British data separate from the "continental data"? I find it hard to believe that this was the case.

    • From TFA:

      "... enough data there to spark a major European crime wave."

      "... harvesting every record on Best Western's European reservation system."

      Sounds like the article did disambiguate...

      • From TFA:

        "... enough data there to spark a major European crime wave."

        "... harvesting every record on Best Western's European reservation system."

        Sounds like the article did disambiguate...

        Yes, but then again it refers to the FBI as if it had something to do with this investigation. There are hints in the article, yes, but it would have helped to just say it.

        It didn't help that the Slashdot summary implied it was every Best Western hotel, making no reference to Europe at all.

    • by jimicus ( 737525 )

      The Sunday Herald article is amazingly unclear about the scope of this
      breach. Which hotels are affected? The article says all "continental
      hotels". Does that, from a British Newspaper, mean european
      continental hotels only?

      I imagine it refers to the part of the company which is referred to as Best Western Continental.

  • From TFA:

    A previously unknown Indian hacker successfully breached the IT defences of the Best Western Hotel group's online booking system and sold details of how to access it through an underground network operated by the Russian mafia.

    It is a move that has been dubbed the greatest cyber-heist in world history.

    This sounds a bit exaggerated to me. Greatest Cyber-Heist? WHat's the odds they just hadn't bothered to encrypted the details or had done something silly with the encryption keys?

    • Re: (Score:3, Insightful)

      by Swampash ( 1131503 )

      By definition, the "Greatest" cyber-heist is one that we don't know about, since its greatness inheres in the fact that it's undetectable.

      • Not necessarily. I think they're using "greatest" in the sense of "largest". So the largest cyber-heist might not automatically be undetectable.

        I think you're saying greatest as in "Most awesome", which would infer not a single person noticing anything was wrong.
        • "Not necessarily. I think they're using "greatest" in the sense of "largest". So the largest cyber-heist might not automatically be undetectable."

          So it's not subjective, but is fully quantifiable? Did they steal more bits, or were the bits just bigger?

          • I suppose I was thinking in terms of monetary value, which is probably even harder to pin down. How much is an identity worth versus a credit card number? etc.
    • Given it's already happened and it wasn't "something sill with the encryption keys" the odds of it being that are exactly zero. You can actually find out what happened by reading TFA. Isn't that amazing? It would take you all of two minutes. Then instead of sitting there spewing ill-informed shit to the world you might have half a clue what's going on.
  • I didn't see what the problem was, until it got the part of "compromised accounts", etc. I thought they just lost it, like a hard disk died or they shredded them accidentally. Took me until half the page until I realized they "lost" it to someone else
    • by Buran ( 150348 )

      And yet they say "the interests of our guests are protected". So their customers' best interests is the hotel allowing personal and private information to be in the hands of criminals?

      I don't like Best Western very much, even in the US, but this means I will never stay with them again if that's their idea of their customers' best interests. My best interests will best be served with ... another hotel.

      • by mpe ( 36238 )
        I don't like Best Western very much, even in the US, but this means I will never stay with them again if that's their idea of their customers' best interests. My best interests will best be served with ... another hotel.

        You probably mean an independent hotel where you can make a booking which does not involve a "cardholder not present" credit card transaction. Otherwise how do you know that Best Western's behaviour isn't "industry standard"?
  • Bad Summary (Score:5, Informative)

    by telchine ( 719345 ) on Sunday August 24, 2008 @07:59AM (#24725427)

    The summary is misleading:

    The details wern't "Lost", the server was comprimised and they were stolen.

    This doesn't affect all Best Western hotels, just some European ones.

    The details stolen are from 2007-2008 (up to 20 months)

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Yeah. Personally, I'd like it if more companies *actually lost* my personal information more often. As in, "oops, that personal information was irretrievably deleted."

      • Re: (Score:3, Insightful)

        by mpe ( 36238 )
        Personally, I'd like it if more companies *actually lost* my personal information more often. As in, "oops, that personal information was irretrievably deleted."

        Or even as in they don't store personal information beyond the point when it is actually needed.
        All sorts of companies appear to treat infrequent, even "once only" customers as though they are frequent repeat customers. It simply dosn't make much sense for a hotel chain to do this. With the possible exception of big corporate customers, the typic
    • Best Western wasn't deprived of their backups, were they? So by famous Slashdot Meme-Think, the info "wasn't stolen", it was "infringed"!

      Since people don't make money by selling their personal details anymore, you can always go to their houses for live performances!

      Since the "making available" theory is in trouble these days, we look for actual proof of data download... which we have, right? Then can we get the FBI to go after these guys for statutory damages of 3*$1*8M = $24 Million? (Because many songs ha

    • Re:Bad Summary (Score:5, Interesting)

      by ralphdaugherty ( 225648 ) <ralph@ee.net> on Sunday August 24, 2008 @01:59PM (#24727603) Homepage

      This whole thing is very confusing to make sense of, starting with British writers that write like the National Enquirer.

      Starting at the beginning, from TFA, someone from India "planted a trojan virus on one of the [continental] Best Western Hotel machines used for reservations" collecting the username and login of a staff person's login.

      So what does that give them? A log in to the Best Western reservations system. Gee, wonder how many people know that top secret info? Like every freakin Best Western counter clerk, for starters.

      And then what does one do when logged in to a reservations system? They make reservations!!! Holy cow, that's top secret too.

      So here's where it gets confusing. How does someone knowing the login to a reservations system, which is like everyone using it, allow anyone who's logged in to acquire the entire reservations history table?

      If anyone can do it by selecting history on all or something, then any Best Western clerk could have retrieved all this info at any time just by logging in.

      With the trojan virus hocus pocus talk, there is an implied possibility that the virus spread to the server which provided a back door to retrieve the info, but that isn't stated. What's stated is the that the trojan merely recorded a login and the Indian got it. We know that is what is happening in bot networks all over the world. It's just a matter of which logins get snapped up from an unsuspecting user.

      So either any Best Western clerk could retrieve all reservation history including credt card info at any time, in which case the Indian might just as well worked for one, or there's an unspecified and unexplained access to the server that provided a backdoor FTP from the server.

      One or the other, but if the first then it wouldn't be the greatest cyber-crime ever, it would be the worst reservation system server software in history.

      If the second, again, a clerk could have copied a trojan virus file from a floppy to the reservations PC and logged in, doesn't require a "hacker" at all.

      My guess from the frenzied journalism is that a reservations clerk login is all it took rather than hoping the trojan virus could both capture the login and then also migrate successfully to the server, which trojans generally aren't multi-OS aware and assuming the server was the same OS, migrated with standard trojan attack vectors for the OS. I find that hard to believe though.

      I also wonder whether there were any confirmed sightings of the info being offered in criminal forums by any of these quoted security experts or just how it came to be known that the entire reservations history table has been downloaded by anyone who acquired the reservations system login from the Indian.

      Gee, having a Best Western reservations system login being the cyber-crime of the century is the goofiest thing I've seen since the last /. debacle thread, and we don't have to go too far back to find one.

        rd

      • Re: (Score:3, Informative)

        Lots of good points here. I have work with the same type of reservations system. A front desk clerks credentials could indeed be used to extract the data -- calling up one record at a time. (On versions released in the past five years all but the last 4 numbers of the CCN are masked so they still would not have everything they might want.)

        A front desk clerk with way too many permissions, working knowledge of Oracle, and a DB password might be more efficient at stealing information.

        Have not been able to f

  • PARDON? (Score:4, Insightful)

    by jrothwell97 ( 968062 ) <jonathan&notroswell,com> on Sunday August 24, 2008 @08:00AM (#24725431) Homepage Journal

    'Best Western took immediate action to disable the compromised log-in account in question...

    WHAT? In that case, they haven't lost the data due to carelessness (which I can just about forgive)- they've failed to secure their systems, which is criminally negligent.

    • Re: (Score:3, Interesting)

      by DarkOx ( 621550 )

      they've failed to secure their systems

      Best Western took immediate action to disable the compromised log-in account in question...

      Don't rush to judgements without the facts being in. Its entirelly possible from what was posted there that a single employee did something bad, not that the whole organization was negligent. In most computer systems you utimately have to have someone or a small group of people that are "root". Some account has to have the authority to do just about anything to the system in case it needs to be fixed, in a hurry.

      Maybe a priniciple DBA decided to join the mob in this case who knows?

      Even if you have separat

      • Re:PARDON? (Score:5, Insightful)

        by AK Marc ( 707885 ) on Sunday August 24, 2008 @01:20PM (#24727247)
        Don't rush to judgements without the facts being in. Its entirelly possible from what was posted there that a single employee did something bad, not that the whole organization was negligent.

        If you can break one account and download millions of records before anyone notices and you allow all that anonymously over the Internet, then I'd say there are some systemic problems. That is by far the easiest way to do it, but also the least secure. If any single user account gets hacked, the entire database is open for quick and easy download. But, if you had people go through a front-end that only fed one record at a time, logged all records presented to which accounts, froze the account at more than 10 records per minute or 100 in a day (or whatever number works) then you could make a system that would still allow for a user that gives away his username and password and not make millions of records available for immeditate download. And even if it did happen, you'd have an exact record of every record touched, to limit exposure and damages (no one claiming they were affected when they weren't).

        Compartmentalization is important for security, but never done because it is often inconvenient for the users. The trick is to fine for just the loss of records, something like $10 per record exposed, so that they will treat them like real money, not just a PR issue if things go wrong. The current method of them paying only with proof of damages to a person, or buying a credity watch for a year (probably at some obscenely discounted rate and gets you on the credit report company's mailing list) is a joke. Make it cost real money and you'll see more lying about when they do happen and more security to prevent them from happening.

        Even if you have separation of powers you are still vulnerable. Suppose the DBA and the System Admin are different people. Maybe the DBA keeps things locked up tight and the database itself is encrypted. The system admin can still just sit and read memory all day and collect the info that way. I used to do this in school. Some of us had shell accounts in the comp sci dept. I never had to "break" or get elevated privilages past any security but I could collect lots of interesting information by running a little C program I wrote which allocated a big character array, did not initialize it and then wrote the contents to disk every few moments, lather rinse repeat.

        Or, they give full read access to everyone so that some accountant somewhere has an easier time setting up Crystal Reports to run a monthly report. You don't need high level access to compromise the data. Even the lowest read-only access will expose every record in it.
        • by mpe ( 36238 )
          If you can break one account and download millions of records before anyone notices and you allow all that anonymously over the Internet, then I'd say there are some systemic problems.

          Assuming you notice at all...

          That is by far the easiest way to do it, but also the least secure. If any single user account gets hacked, the entire database is open for quick and easy download. But, if you had people go through a front-end that only fed one record at a time, logged all records presented to which accounts,
    • Re:PARDON? (Score:4, Insightful)

      by EdIII ( 1114411 ) * on Sunday August 24, 2008 @09:33AM (#24725775)
      Criminally negligent is a very serious allegation you are making . I can not understate that.

      I highly doubt that the Best Western meets the standards for criminal negligence in this case. In fact, the article mentions that they deactivated the compromised security credentials of the employee in question immediately. That alone suggests that levels of security were present in their information systems. You would seem to suggest that the fact they did means the security did not exist, which is contradictory. The security existed, it was just bypassed or failed in some way. Failure does not automatically equal negligence.

      Remember, that criminal negligence is prosecuted by an attorney representing the state or the "people" which can result in jail time. There are several levels of criminal negligence. ALL of them involve the intent of the person(s) accused. In order to be criminally negligent a person would have to have knowledge that their actions (or lack of actions) would contribute to the harm of another. Furthermore, the reasonable person standards are also used. This reasonable person is appropriately informed, capable, aware of the law, and fair-minded. A reasonable person would have to conclude that the Best Western knew their security policies were inadequate and that there was a high probability that the sensitive information of their customers would be compromised in some way.

      I highly doubt that a reasonable person, which would most likely be a network administrator or somebody possessing the requisite skill sets, would conclude that the security measures were that inadequate and that the Best Western had knowledge of that fact. Logon credentials by itself suggest that.

      You should also know that to even consider criminal negligence, a crime must take place as a result of the negligence. Any culpability, or liability is related to those crimes only. The theft of the data is not a crime that could be considered either. It has to be a crime resulting from that criminal act. If I took my handgun and deliberately left it in the street and somebody picked it up and shot another person, that would be the situation I am referring too. So until it is proven that a suitably large number of customers were financially damaged to a large degree, criminal negligence would never even be discussed by any prosecutors in the first place. Considering the protections afforded to most credit card customers, the vast majority of all damage is going to be against the credit card companies anyways, so it would be up to them. It is far more likely that a civil suit will result from this, and only if the credit card companies believe they can construct a case that will convince a jury that negligence exists.

      Now if the Best Western made a habit out of keeping all the information in plain text files on shared network drives, on computers directly attached to the Internet, with no firewalls with full access permissions for anonymous people, then you would absolutely have a point.

      The reality of the situation suggests that they may have been negligent (doubtful), but to suggest jail time for those involved is a bit drastic, premature, and certainly not supported by the information we possess from this summary, let alone the whole article.
      • Re: (Score:3, Insightful)

        by Wildclaw ( 15718 )

        Considering the protections afforded to most credit card customers, the vast majority of all damage is going to be against the credit card companies anyways, so it would be up to them. It is far more likely that a civil suit will result from this, and only if the credit card companies believe they can construct a case that will convince a jury that negligence exists.

        The credit card companies trying to build a case of negilence???

        The whole idea of using number that you have to show to untrusted individuals to make a payment and which can be reused any number of times is negilent in itself.

        The sooner we get rid of credit card numbers the better.

      • Re: (Score:3, Informative)

        Criminally negligent is a very serious allegation you are making . I can not understate that.

        it's easy. Europe, and member states have strict data protection laws, Best Western have broken more than one. Certainly, in the UK directors of a company are responsible for data protection and could be criminally responsible - although this has not been tested in court.

        Also, I think Best Western will certainly be having uncomfortable discussions with their merchant acquirers because Best Western have not met the terms in the acquirer contract to appli PCI DSS [pcisecuritystandards.org] (Credit card security standards)

        Certainl

        • by mpe ( 36238 )
          it's easy. Europe, and member states have strict data protection laws, Best Western have broken more than one.

          Assuming these laws actually are enforced.

          Certainly, in the UK directors of a company are responsible for data protection and could be criminally responsible - although this has not been tested in court.

          It also isn't much use in relation to a company in Arizona, USA.

          Certainly, I've worked in a few large organisations that have had to encrypt credit card data in databases so that members of s
        • by EdIII ( 1114411 ) *

          it's easy. Europe, and member states have strict data protection laws, Best Western have broken more than one. Certainly, in the UK directors of a company are responsible for data protection and could be criminally responsible - although this has not been tested in court.

          We are not talking about the same thing. I simply stated the requirements for criminal negligence. If there are data protection laws, then those would obviously be a consideration, but they are separate from criminal negligence. They ma

      • by mpe ( 36238 )
        I highly doubt that the Best Western meets the standards for criminal negligence in this case. In fact, the article mentions that they deactivated the compromised security credentials of the employee in question immediately. That alone suggests that levels of security were present in their information systems. You would seem to suggest that the fact they did means the security did not exist, which is contradictory. The security existed, it was just bypassed or failed in some way.

        Reading the article it app
    • Any computer connected to the net can be compromised given a sufficiently intelligent/lucky hacker and enough time. The question you should be asking is did they take all reasonable and practical precautions to protect the machines?
  • by toby ( 759 ) * on Sunday August 24, 2008 @08:10AM (#24725457) Homepage Journal

    bypassing the system's security software and placing a Trojan virus on one of the Best Western Hotel machines used for reservations

    We all know that's a very difficult attack when Windows is involved! Amazing cleverness here.

    • It's difficult to tell without more information - for all we know it could be something impersonating GDM on a Linux system without SELinux or a firewall enabled.
      • by toby ( 759 ) *

        We don't know for certain yet, and I'm no über-hacker myself, but it's a very safe bet that "machines used for reservations" are whitebox junk running WinXP. That provides a nice, easy, warm, slippery orifice of entry for deeper penetration. All the clerk has to do is open the wrong email, download the wrong ringtone, blah blah...

        Bottom line, it's negligent to run Windows in a business setting and pretty soon the courts will agree. A.C. below is right: We only need to wait for an eventual class action

        • by Locutus ( 9039 )

          here in the US, there was an unpatched hole in MS IE and the only workaround was to basically disable the OS and so the Department of Homeland Security put out a bulletin the businesses should use another browser. Did any? Not the dozen of business 'partners' we deal with that I checked.

          The guy at Hannaford(sp?) who had to resign is the first time I heard of anyone getting fired for Microsoft's crappy security. Most people are just technical morons and do what they think everyone else is doing and that is u

    • What the hell is a Trojan virus? I thought Trojans were supposed to protect you from viruses!
    • We all know that's a very difficult attack when Windows is involved! Amazing cleverness here.

      No, this incident brought to you by Best Western.

      Listen, you have a massive international corporation with terminals everywhere. It's reasonable to assume that no matter what security measures you put in place a dedicated attacker (maybe even working with an insider) could compromise a terminal somewhere. What really raises questions is how one login can be given access to a system covering all of Europe and pull down 8 million customer records before raising a red flag.

      "We continue to investigate the root cause of the issue, including, but not limited to, the third-party website that has allegedly facilitated this illegal exchange of information."

      Don't point fingers, the root cause s

  • Just a nitpick (Score:4, Interesting)

    by CaptainZapp ( 182233 ) * on Sunday August 24, 2008 @08:27AM (#24725521) Homepage
    Even though Best Western can be seen as a "chain" it's actually a marketing umbrella for thousands of independent hotels.

    From here [wikipedia.org]:

    Unlike other chains, which are often a mix of company-owned and franchised units, each Best Western hotel is an independently owned and operated franchise. Best Western does not offer franchises in the traditional sense (where both franchisee and franchisor are operating for-profit), however. Rather, Best Western operates as a nonprofit membership association, with each franchisee acting and voting as a member of the association.

  • by Opportunist ( 166417 ) on Sunday August 24, 2008 @08:48AM (#24725593)

    We're getting "anti-terror" laws that cut away our civil liberties piece by piece, despite little to no terrorist activity anywhere. Yet we have "data loss" on an almost weekly base and nothing happens. Could anyone tell me why those companies are still in business? When did criminal neglect become less than a misdemeanor? Because, well, did you see anything happening out of it? I didn't.

    These companies cause problems to their customers by their careless handling of personal and financial data. At the very least, they subject their customers to the threat that their credit card data is in the hands of a criminal, ready to use it whenever they please. When are we going to see some laws that mean consequences if you can't handle your customers' data?

    Every company is very keen to collect everything about you, from your favorite dish to your shoe size, but they can't be bothered with the task to keep this information secure? If you can't keep info secure, don't collect it, dammit!

    • Yet we have "data loss" on an almost weekly base and nothing happens. Could anyone tell me why those companies are still in business? When did criminal neglect become less than a misdemeanor?

      Criminal neglect?

      Unless you have proof that their server getting hacked = criminal neglect, maybe you need to switch to decaf.

      These companies cause problems to their customers by their careless handling of personal and financial data.

      What article did you read where Best Western was portrayed as careless?
      Did you RTFA?
      I realize hyperbole is a /. tradition, but /.ers usually ground it in some type of fact.

      • The neglect is not in their servers being hackable. It's unreasonable to assume that a server is unhackable, no matter how it may be secured. The neglect is in the data being still available for the criminals to gain after a year has passed. How long do you need to process some credit card transaction? I would not complain (that much) if a month's worth of customer data was stolen. You need this information for possible complaints and booking changes. But a year's worth of data available for retrieval by a

        • by mpe ( 36238 )
          The neglect is in the data being still available for the criminals to gain after a year has passed. How long do you need to process some credit card transaction?

          The only details which actually needed to be held in the system would be those of current individual guests for theft/damage. Even for than such information only needs to be available to the specific hotel.

          I would not complain (that much) if a month's worth of customer data was stolen. You need this information for possible complaints and bookin
    • Yet we have "data loss" on an almost weekly base and nothing happens.
      This is why I am resisting my company's new policy of storing online and in a filing cabinet every employees credit report, retail theft report, criminal check report, fingerprints, passport, birth certificate and self declaration of any crimes for the last 7 years including minor traffic violations. They intend to show this to any current or prospective clients (mostly large banks, many of whom lose that sort of data on a weekly basis)
      • by mpe ( 36238 )
        This is why I am resisting my company's new policy of storing online and in a filing cabinet every employees credit report, retail theft report, criminal check report, fingerprints, passport, birth certificate and self declaration of any crimes for the last 7 years including minor traffic violations.

        What do they need this for in the first place? Who keeps the time sensitive part up to date? Unless the employee is driving for the company how are "traffic violations" even remotly relevent? (What about an em
        • What do they need this for in the first place?
          I don't believe they need it at all. Supposedly they need it because we work with healthcare information and they say HIPAA requires it. HIPAA in and of itself does not require much of anything specifically. So everybody and their brother interprets it according to their own whim.
          Who keeps the time sensitive part up to date?
          The employees are supposed to let the company know if anything happens, such as a speeding ticket, bankruptcy or other change in credi
    • Yet we have "data loss" on an almost weekly base and nothing happens.

      Who do you expect to fix it? Governments, particularly the one in the UK, are more incompetent about protecting their data (posting CDs, leaving things on trains etc) than most companies. Given that these are the people writing the laws do you really expect them to come down hard on the companies? It would be shooting themselves in the foot.

    • We're getting "anti-terror" laws that cut away our civil liberties piece by piece, despite little to no terrorist activity anywhere.

      Such laws arn't even applied to all actual terrorists either. Probably because it's too embarrassing for those in "authority" to admit that not only is terrorism a risk of the level of "freak accidents" (at least in North America and Europe) or that the majority of actual terrorists can't be fitted into the Al Quada conspiracy theory...

      Yet we have "data loss" on an almost w
  • "the Sunday Herald understands that a hacker .. succeeded in .. placing a Trojan virus on one of the Best Western Hotel machines used for reservations. The next time a member of staff logged in, her username and password were collected and stored"

    more likely someone got local access to plant the torjan, one of the night staff hired at minimum wage, for instance, a high turnover in staff, people hired off the street, with no security clearance.

    The 'security' system at a tourist hostel I was familiar wi
  • by fuzzyfuzzyfungus ( 1223518 ) on Sunday August 24, 2008 @08:59AM (#24725643) Journal
    The issue is not so much that the data were stolen, though obviously that is bad; but that the hotel made it worse by keeping data on hand that weren't necessary. "Employment details"? WTF? I recognize that certain data are unavoidable in such a system; but I would like to see substantially greater penalties for those who compromise customer data that they don't even have a good reason for keeping.

    Incidentally, when did we start using the term "lose" as a polite synonym for "fuck up in fine style"?
    • I'm guessing this applies to those that were taking business trips and thus had additional info (company sponsored, conference room, etc).

      br
      I don't think I've ever been asked where I worked when booking at a Best Western (not that I use them often).

    • "Losing data" would be an operational mess for the organization.

      "Disclosing data to criminals", which is what happened, is a mess for its customers.

      • by mpe ( 36238 )
        "Losing data" would be an operational mess for the organization.

        Since most of the data concerned had zero relevence to the company's current operations it wouldn't have mattered too much. The only important data they'd have lost would have been future bookings which the relevent hotels hadn't already been informed about.
        Worst case senario they'd have had to deal with a fairly minor number of overbookings.
    • I'm going to assume that "Employment Details" probably means the Company Name you specified when you reserved a room.

  • Someone got hold of an admin acount, someone wrote a script to automate the downloading of the entire database. No-one noticed until the details popped up for sale on the web ..

  • The best interests include paying for a private security detail for the peoples homes while they're away.

    The closing of the account AFTER the information was stolen is priceless. The chickens have already flown the coop and you close the door anyhow. Lovely.
  • by cheros ( 223479 ) on Sunday August 24, 2008 @09:24AM (#24725735)

    .. get new credit cards every half year or so. You're not charged for the change, it secures any leakage you may have left behind and it ensures that data theft isn't a problem. If you think 6 months is too long (you could be travelling a lot), do it more often. And it means costs for the credit card company so maybe they start to come up with a better approach (or pass teh costs to the failing merchants, also a good incentive IMHO).

    Personally, I'm waiting until one of the token manufacturers gets a deal with VISA and Mastercard. After all, a credit card is but a reference number to the contract you have with a credit card provider, and a token can do that just as well. But it could change the static challenge-response PIN with something smarter, and some tokens I've seen are even capable of working securely over a standard web browser.

    Let me translate that last one for you: no more "secure" terminals needed (which is where some hacks now happen), using a token could be as simple as integrating an iframe right into the POS display. Also means safer shopping at home, btw.

    And the technology exists already - it's just a matter of reaching the point where fraud is more costly than fixing the problem. Not needing secure terminals could mean that point is reached a lot earlier that originally thought. We're talking months here IMHO, followed by a few years while the terminals are phased out.

    • by jimicus ( 737525 )

      .. get new credit cards every half year or so. You're not charged for the change, it secures any leakage you may have left behind and it ensures that data theft isn't a problem. If you think 6 months is too long (you could be travelling a lot), do it more often. And it means costs for the credit card company so maybe they start to come up with a better approach (or pass teh costs to the failing merchants, also a good incentive IMHO).

      Both merchant and credit card company have only one source of income - you, the customer. If you cause their costs to go significantly up, expect them to pass these costs on to you.

      Particularly when there's only Visa and Mastercard and they'll spread the cost among all the merchants.

      I'd argue that you'd be better off not using cards at all and write to your issuing bank to explain why.

      And the technology exists already - it's just a matter of reaching the point where fraud is more costly than fixing the problem. Not needing secure terminals could mean that point is reached a lot earlier that originally thought. We're talking months here IMHO, followed by a few years while the terminals are phased out.

      I accept the technology already exists. The difficult (read: expensive) bit isn't the technology, it's every bastard card-

  • Credit card numbers and other personal information is easily stolen, as this article makes clear. The credit card companies and others, like Best Western, who store their customer's personal data call this "identity theft" to make us consumers think that we are the victims, and must pay the price for the theft. A better name for what is happening is "information theft". Private information has been stolen from the company, and it is the company who should suffer the consequences.

    I watch my credit card ch

  • Why (Score:3, Insightful)

    by geogob ( 569250 ) on Sunday August 24, 2008 @10:39AM (#24726131)

    Most of the time, when I read a story along these lines (lost data, stolen data, client personal details incl. credit info), I have to ask myself "do they really need to archive all this data on their customers?"

    • by mpe ( 36238 )
      Most of the time, when I read a story along these lines (lost data, stolen data, client personal details incl. credit info), I have to ask myself "do they really need to archive all this data on their customers?"

      In some cases it's more at the level of "Did they need to store this data at all?". Never mind the question of if they need to store lots of specific data on people who were their customers at some time in the past.
      Whilst some sort of statistical data might be useful. Knowing the names and address
  • by hyades1 ( 1149581 ) <hyades1@hotmail.com> on Sunday August 24, 2008 @11:20AM (#24726347)

    ...why the spokesdrones for so many major companies are allowed to spew the most outrageous bullshit ("We care about our staff"; "The privacy of our guests is our number one concern", etc.), and nobody in the mainstream press ever calls them on it.

    Even politicians, for whom lying is as easy and natural as breathing, are rarely so brazenly, in-your-face dishonest.

  • The records involving elected officials should be unusually valuable.

    If some of those are published, that could be interesting.

  • by Alain Williams ( 2972 ) <addw@phcomp.co.uk> on Sunday August 24, 2008 @12:14PM (#24726721) Homepage

    causing speculation that homes could be targeted for burglary when it's anticipated they will be unoccupied.

    I always give the hotel a business address - like that some criminal does not know where to go while I am at the hotel. I do the same with labels attached to luggage when flying. I have done this for years.

    When will people learn to give the minimum of personal information that is absolutely necessary ?

    • Or you can give a P.O. Box.
    • by mpe ( 36238 )
      I always give the hotel a business address - like that some criminal does not know where to go while I am at the hotel. I do the same with labels attached to luggage when flying.

      Does a hotel actually need your address? Does your luggage need an address label (especially on the outside)? When will people learn to give the minimum of personal information that is absolutely necessary ?

      Probably when businesses stop asking for the absolute minimum. Even hassling (potential) customers who refuse to give them
  • We need a Corporate Death Penalty. And since no actual human beings would be put to death, it should be applied fairly liberally. Seriously, a company that fucks up this badly doesn't really deserve to continue operating in any capacity.

    If such a penalty were in existence you'd see all of these stories disappear overnight, and I don't mean because the guilty parties would be covering up their transgressions. I mean they would do whatever's necessary to protect their shareholders (the owners) from losing

    • by mpe ( 36238 )
      I mean they would do whatever's necessary to protect their shareholders (the owners) from losing their investment.

      In the case of a publically traded company you'd probably want to delist them from all stockmarkets as a first action. So as to minimise the possibility that the stockmarket price was lower than the "liquidation value"...
  • Best Western responds: http://tinyurl.com/5863g8 [tinyurl.com] Partial reprint, PR gobbledy gook removed: Posted 6:37 p.m. EDT Aug. 24, 2008 "The story printed in the Sunday, August 24, 2008, Glasgow Sunday Herald claiming a security breach of Best Western guest information is grossly unsubstantiated. Claims reported about our Central Reservations customer records are not accurate. [snip] The Sunday Herald reporter brought to our attention the possible compromise of a select portion of data at a single hotel [snip] We
    •       This should be posted as an update in the summary. But that would take all the sensationalism out of it.

            That's no fun.

        rd

fortune: No such file or directory

Working...