Best Western finds that compliance does not guarantee security

August 26, 2008
As the Rolling Stones used to say, “What can a poor boy do?"

Despite taking all the prescribed precautions and having proper defenses in place, late last week, hotel chain Best Western allegedly suffered the indignity of a breach of its reservation system. Reportedly, the personal information of eight million customers was put up for sale on a pirate site (reportedly via a Russian mob), though the hotel issued a statement refuting this accounting.

While the facts at this point in the investigation are sketchy, a trojan placed on a computer within the chain is being cited as the hacker’s entry point. And this occurred even as the chain was doing everything it should to prevent such an intrusion. In a statement issued in response to a news report of the breach, the chain outlined all the steps it takes in its information security processes:

  • “We comply with the Payment Card Industry (PCI) Data Security Standards (DSS). To maintain that compliance, Best Western maintains a secure network protected by firewalls and governed by a strong information security policy. We collect credit card information only when it is necessary to process a guest's reservation; we restrict access to that information to only those requiring access and through the use of unique and individual, password-protected points of entry; we encrypt credit card information in our systems and databases and in any electronic transmission over public networks; and again, we delete credit card information and all other personal information upon guest departure. We regularly test our systems and processes in an effort to protect customer information, and employ the services of industry-leading third-party firms to evaluate our safeguards.”


From this security profile, it’s reasonable to assess that Best Western was doing everything “right.” But the end result proves that “right” just might not be enough.

As we hear over and over again: compliance does not necessarily equal security. Experts repeat ad nauseum that compliance is useful (even if begrudged), but that other measures must also be put in place to build up a stronger defense against the loss of data, both from without and within.

This latest alleged exposure raises a number of issues: Was Best Western doing everything right to defend its database and network? Can it have done anything different to beef up its defense? Is it inevitable, as many say, that it’s impossible to stop a breach? And, the inevitable, what now?

Whether the accusations are accurate or not, whether the charge that the personal info of eight million customers was exposed is overblown, as some are saying (including the hotel chain), or whether that number turns out to be much smaller, almost doesn’t matter at this point. Beyond the need for a reassessment of its information security systems, it’s a PR nightmare for Best Western.

“So much public scrutiny as a result of the published report could be detrimental to Best Western’s brand,” Ed Moyle, manager, CTG, a firm that provides information technology staffing and solutions, told SCMagazine.com yesterday.

Whether Best Western is the victim of a hacker or of a campaign to besmirch its name, this week's latest entry into security celebrity status unfolds as an illustration for the rest of us. Will this negative attention mean much to the public? How will Best Western handle the accusations and the tangible setup of its IT security systems and processes?

Clue: They might look to Hannaford, who handled the aftermath of its breach with transparency.
prestitial ad