Confusion reigns over Best Western data security breach

Conflicting stories are hitting the security headlines today about an alleged breach of computer systems run by the Best Western hotel chain.

According to a report by Iain S Bruce of the Scottish newspaper The Sunday Herald, names, home addresses, credit card details, telephone numbers and other personal information has been stolen from Best Western’s computer network by a gang of hackers.

According to the report, an Indian hacker planted a Trojan horse on one of the firm’s computers which stole usernames and passwords, giving the gang access to sensitive data which could be used for the purposes of identity theft. The Sunday Herald claims that the incident scooped up the details of guests who had stayed at a Best Western hotel since 2007, creating a potential total of eight million victims.

Sign up to our free newsletter.
Security news, advice, and tips.

However, a statement from the company – which has more than 4000 hotels in 80 countries- claims that the reports are inaccurate:

“The story printed in the Sunday, August 24, 2008, Glasgow Sunday Herald claiming a security breach of Best Western guest information is grossly unsubstantiated. Claims reported about our Central Reservations customer records are not accurate. We at Best Western take the confidentiality of our customers’ personal information very seriously. The Sunday Herald reporter brought to our attention the possible compromise of a select portion of data at a single hotel; we investigated immediately and provided commentary. Best Western would have welcomed the opportunity to fact-check the story, which would have resulted in more accurate and credible reporting on the part of the newspaper.”

“We have found no evidence to support the sensational claims ultimately made by the reporter and newspaper. Most importantly, whereas the reporter asserted the recent compromise of data for past guests from as far back as 2007, Best Western purges all online reservations promptly upon guest departure.”

Was this a case of over-exuberant reporting, or is Best Western trying to downplay the scale of the incident? What’s obvious is that at the moment the facts of this case are unclear. Even if only one hotel branch was affected, there is still an important reminder here for every organization to take the utmost care over securing its customers’ data.

Rival hotel firms would be wise not to bounce on their beds in glee at Best Western’s possible misfortune – but look again at their own systems to make sure that they are properly defended.

How can you tell if you are a victim of identity theft?
Symptoms include:

* Image source: The Joy of the Mundane’s Flickr photostream (Creative Commons 2.0)


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.