A Scottish newspaper, the Sunday Herald, reported late last week that hackers placed a trojan on the hotel chain's European reservation system, capturing a clerk's password to gain entry to the group's online booking system.
The intruders then reportedly sold details of how to gain access to the system to a Russian gang. The attack was noticed when the Best Western database, which included guests' names and credit card numbers, was offered for sale on an underground forum.
Responding to the newspaper report, Best Western issued a statement admitting there had been a breach, but claimed that on Friday, it closed the entry point in its system that allowed access to the hackers. The company also refuted claims that its data had been compromised. It also sought to reassure its customers that it is taking appropriate action.
The chain, which has more than 4,200 hotels in 80 countries, responded that the charges in the newspaper report were “grossly unsubstantiated…We have found no evidence to support the sensational claims ultimately made by the reporter and newspaper.”
It also stated that it complies with Payment Card Industry (PCI) Data Security Standard (DSS), and that to maintain that compliance, it uses a “secure network protected by firewalls and governed by a strong information security policy.”
The chain added that it only collects credit card details when processing a reservation and then encrypts that information, deleting it when the guest departs. Also, the company restricts access to that data to only those people who require it.
However, despite these appropriate information security strategies, experts point out that there are ways a hacker may have gained entry to the company's network, most likely via a traffic-sniffing trojan.
Ed Moyle, manager at CTG, which provides IT solutions to Global 2000 clients, said Best Western may be correct in its assessment of the breach's extent. But the news is already out and the company's reputation could be harmed, he said.
“It's an unfortunate outcome for what appears to be a smaller-than-reported data loss,” he said. “In an ideal world, companies ought to be looking at how they can prevent this sort of thing with the ultimate goal of not having to put out a retraction.”
Moyle said there appears to be nothing more Best Western could have done to prevent the compromise.
"Yes, they were in compliance with [PCI], it's a useful bar to meet, but that doesn't guarantee loss prevention," he said. "There are always going to be breaches."