Database File Encryption Present In Best Western Hack According To The Company.

A data breach affecting over 8 million Best Western customers was reported over the weekend by the Sunday Herald, a newspaper in Glasgow, Scotland.  The Best Western hotel chain has released a statement earlier today saying that the claim is “grossly unsubstantiated.”  The company has also listed a number of methods they’ve used to protect customer information, and has noted that they use encryption to protect the credit card information in their databases (data at rest) and moving through their networks.  Those are magic words to my ears.  It doesn’t mean that a data breach cannot occur—after all, the hacker got into their system.  Who knows if he installed packet sniffers and whatnot, and managed to record the password to decrypt the information, right?


But, this is a company that has implemented at least an important facet of data security.  Here’s a list of what else they’ve implemented:


  • Secure network that is protected with firewalls

  • Strong information security policy

  • Credit card numbers are collected to process reservations only

  • Restricted access to sensitive data, like the credit card numbers above

  • Use of encryption (already noted) to the same

  • DELETION of credit card information and all other personal information upon guest departure

Supposedly, Best Western does this to be in compliance with PCI DSS.  That last bullet point implies that customer data going all the way back to 2007 couldn’t have been part of the data breach, as reported by the Sunday Herald, unless Best Western has 8 million guests who’ve been staying with them for eight months, which I’d find impossible and weird.  I mean, their rooms are OK, but they’re not the penthouse at the Four Seasons…


What I do find weird, though, is also the last point.  If they actually delete all personal information, how do they keep track of their customers?  Isn’t the hospitality industry famous—perhaps even notorious—for keeping track of customers?

 Like the TJX case before, it will take time to figure out the extent of the breach.  So far, Best Western has admitted that only 13 customers have been affected by the network intrusion.  If the Glasgow newspaper has its facts right—again, a point severely contested by Best Western—the number can only go up from here.  But if they’ve put as much effort into securing their data—including the use of file encryption like AlertBoot to protect the content of their servers—I’m willing to bet that the hotel chain has things under control (as opposed to other businesses that wish they had things under control…and leave it at that). 

Related Articles:{A87F9682-AC67-4803-A135-B6ACF42C0956}&dist=hppr

Comments (0)

Let us know what you think