Best Western Breach Nets 8 Million IDs -- Or Does It?

According to a Sunday report in Scotland's Glasgow Sunday Herald, last Thursday an Indian hacker devised a method for breaking into Best Western's online booking system and then sold this information to Russian mafia operatives.

The Herald, which described the alleged breach as "the greatest cyber-heist in world history" and credited itself with alerting Best Western, claimed the attack revealed a treasure trove of personal data on every customer who has stayed at one of the chain's 1,312 European hotels since 2007.

In all, the Herald estimated that the home addresses, telephone numbers, credit card, and employment details of about 8 million customers were compromised, and that hackers could use this data to generate more than $5 billion in ill-gotten gains.

However, on Monday, Best Western International railed against the report, describing its assertions as "grossly unsubstantiated." The breach occurred at a single hotel and only involved records of 13 customers, a Best Western spokesperson said in an interview with ChannelWeb.

"Claims reported about our Central Reservations customer records are not accurateWe have found no evidence to support the sensational claims ultimately made by the reporter and newspaper," Best Western said in a statement.

Best Western disputed the Herald's claim that customer data dating to 2007 was affected by the breach, claiming that it purges online reservation data immediately after guests depart.

Best Western also insisted that as of its most recent internal and external reviews earlier this month, the company is in full compliance with the Payment Card Industry (PCI) Data Security Standards (DSS), a set of requirements drawn up by major credit-card companies for securing cardholder data.

But Rich Mogull, an independent security consultant and former Gartner analyst, says companies that are PCI compliant aren't immune from being hacked.

"With PCI, although you've at least undergone some level of security, we haven't seen a direct correlation between PCI certification and an organization's ability to defend against certain types of attacks, particularly those involving Web application security," said Mogull.