The World's Largest Cyber Heist... Or Not

Scotland's Sunday Herald reported this last weekend that the world's largest cyber-heist ever recorded had taken place, with approximately eight million people's identities stolen. The target was the Best Western Hotel group, the culprit was "an unknown Indian hacker," the accomplices were "an underground network operated by the Russian mafia," and the estimated haul could be worth "more than £2.8billion [$5.15 billion USD)] in illegal funds."

If the Sunday Herald's claims are true, then the security Breach of Best Western is almost double in size the largest-reported cyber-breach to date of 4.5 million records exposed following the loss of BNY Mellon Shareowners Services' backup tapes this last February. The only problem is that Best Western denies that the breach was anywhere near as large as the Sunday Herald said it was:

"The story printed in the Sunday, August 24, 2008, Glasgow Sunday Herald claiming a security breach of Best Western guest information is grossly unsubstantiated. Claims reported about our Central Reservations customer records are not accurate. We at Best Western take the confidentiality of our customers' personal information very seriously. The Sunday Herald reporter brought to our attention the possible compromise of a select portion of data at a single hotel; we investigated immediately and provided commentary. Best Western would have welcomed the opportunity to fact-check the story, which would have resulted in more accurate and credible reporting on the part of the newspaper. We have found no evidence to support the sensational claims ultimately made by the reporter and newspaper."

The Sunday Herald reported that an Indian hacker placed a Trojan virus on a Best Western computer used for reservations, and the Trojan was able to capture the login credentials of a Best Western staff member. Once the login credentials were captured, they were "put up for sale and shared on an underground website operated by a notorious branch of the Russian mafia, which specialises in internet crime."

Up to this point, the Sunday Herald purports to report on actual events. However, the rest of its story--and therefore the figure of eight million stolen identities--is based purely on speculation:

"Once the information was online, experts estimate that it would take less than an hour to write and run a software bot' - a simple computer programme - capable of harvesting every record on Best Western's European reservation system.

With eight million people staying in the hotel group's 86,375 continental rooms every year, gaining access to the system is a major coup for the cyber-criminals responsible. Given that criminals now have access to all bookings from 2007-2008, and based on the FBI-sponsored Internet Crime Complaint Center's reports that the average victim of internet crime loses £356, they are sitting on a potential haul of at least £2.84bn."

Best Western countered, however:

"The reporter asserted the recent compromise of data for past guests from as far back as 2007, Best Western purges all online reservations promptly upon guest departure."

In fact, in an email to Information Week, Best Western stated:

"There was one instance of suspicious activity at a single hotel with respect to 13 guests, who are being notified. We are working with the FBI and international authorities to investigate the source of the other claims, which were never presented to us for investigation prior to publication of the Herald story. We have found no suspicious activity to support them."

There is a huge difference between 13 records and 8 million. Is the Sunday Herald guilty of sensationalism, speculation, exaggeration, and simply getting some key facts wrong? Is Best Western trying to cover up what could be a monster data breach? We guess we'll have to wait until next Sunday to see what the Sunday Herald has to say about it.
Tags:  AR