According to the Sunday Herald, an international criminal gang has pulled off one of the most audacious cyber-heists ever by stealing the identities of an estimated 8 million people – who have all been guests in at least one of the 1300 existing Best Western Hotels in the past 12 months – in a hacking raid that could ultimately net more than 3.5 billion euro in illegal funds.
A Sunday Herald investigation has discovered that late on Thursday night, a previously unknown Indian hacker successfully breached the IT defences of the Best Western Hotel group’s online booking system and sold details of how to access it through an underground network operated by the Russian mafia.
It is a move that has been dubbed the greatest cyber-heist in world history. The attack scooped up the personal details of every single customer that has booked into one of Best Western’s 1312 continental hotels since 2007.
Update: Neville Hobson was kind enough to Twitter-point me to a statement issued by Best Western (PDF), wherein they claim the newspaper is being sensationalist, and that most of the facts presented in the article are inaccurate, exaggerated, unsubstantiated or false, although they fail to provide more insight as to what the extent of the damage really is.
Update 2: Best Western provided more feedback on the issue:
“We can confirm that on August 21, 2008, three separate attempts were made via a single log-on ID to access the same data from a single hotel. The hotel in question is the 107-room Best Western Hotel am Schloss Kopenick in Berlin, Germany, where a Trojan horse virus was detected by the hotel’s anti-virus software. The compromised log-in ID permitted access to reservations data for that property only. The log-in ID was immediately terminated, and the computer in question has been removed from use. “
The Sunday Herald alerted Best Western, who promptly closed the security breach on Friday afternoon, but experts fear that information seized in the raid is already being used to pursue a range of criminal strategies. Jacques Erasmus, an ex-hacker who now works for the computer security firm Prevx, has even been quoted saying “In the wrong hands, there’s enough data there to spark a major European crime wave.”
The stolen data included private information like home addresses, phone numbers, credit card details and place of employment.
The initial hacker succeeded in bypassing the system’s security software and placing a Trojan virus on one of the Best Western Hotel machines used for reservations. The next tume a member of staff logged in, her username and password were collected and stored.
If you’ve stayed in a Best Western hotel at some point during the past year, you might want to consider hooking up with their customer service department to see what’s up. Use the number 0800 528-1238.
(Image courtesy of hiten mistry @ Flickr)