Best Western forced to play defense on data breach disclosure

The headline in this week's Glasgow Sunday Herald -- "Revealed: 8 million victims in the world's biggest cyber heist" -- was a grabber.

And it certainly got the attention of the Best Western hotel chain, which found itself scrambling to do damage control after the Scottish newspaper reported that hackers had broken into its online reservation system and stolen 8 million customer records. According to the Sunday Herald, the theft netted data on everybody who had stayed at Best Western's 1,312 European hotels this year and in 2007.

After the story appeared on August 24, US-based Best Western International acknowledged that the Herald had alerted it to a "possible compromise" of data. But the company refuted the Sunday Herald's claims about the scope of the system intrusion, saying that the story was "grossly unsubstantiated." Best Western said the breach had affected just 13 customers at a single hotel in Berlin -- a number that it later reduced to 10.

Nonetheless, the company couldn't stanch the online flood of stories and blog posts about the data breach that followed the publication of the Sunday Herald's story, which said that a hacker from India had obtained log-in credentials for Best Western's online booking system via a keystroke-logging program and then sold information on how to access the data in the system "through an underground network operated by the Russian mafia."

Best Western's experience highlights the public relations problems that can result from breach disclosures, as well as the need for companies to have comprehensive incident-response plans in place for dealing with such disclosures.

In this case, Best Western could have beaten the Sunday Herald to the punch by breaking the news about the breach itself. The intrusion took place on August 21; according to the newspaper, it brought the breach to the company's attention the following day, two days before the story was published.

In comments sent via e-mail this week, a Best Western spokeswoman indicated that the company was blindsided by the Sunday Herald's claims about the scope of the breach. The reporter who wrote the story didn't mention the possibility that 8 million records had been stolen when he talked to Best Western officials, the spokeswoman said. She said that he simply asked for the number of Best Western hotels and rooms in Europe, and that he appears to have used those numbers to extrapolate the 8 million figure.

And the only evidence of a breach that the reporter presented was a screenshot of a single log-in suggesting a possible compromise, the spokeswoman added. "Basically, the Herald elicited a statement from us on one issue and used the statement to report on another," she said.

Page Break

The reporter, Iain S. Bruce, has yet to respond to questions about the matter that were sent to him via e-mail at his request on Tuesday. Included was a question about whether he had discussed the claim of 8 million victims with Best Western before his story was published.

It's reasonable for a company whose systems have been breached to make sure it fully understands the extent of what has happened before going public, said Chris Hoofnagle, senior staff attorney at the Berkeley Center for Law and Technology at the University of California, Berkeley. "The general rule is that one should not disclose the breach until its scope has been determined," Hoofnagle said.

But even if Best Western wasn't fully aware of what it was about to be hit by when the Sunday Herald published its story, it's better for companies to disclose breaches before someone else does so for them, said Kirk Nahra, an attorney who specializes in data privacy and security issues at Wiley Rein.

Corporate executives often are hesitant to do so, Nahra acknowledged, noting that they have to think about different audiences when disclosing breaches -- including "lawyers looking to file lawsuits." But, he said, "the issue is how you control it. You do what you can to make it a one-day story, not a 10-day story."

It took Best Western until Tuesday to detail its version of the breach. In a statement issued that day, the company said the incident involved a compromised user ID that provided access only to data stored at the Berlin hotel. The ID was "immediately terminated," and a computer was "removed from use" after antivirus software found that it was harboring a Trojan horse program, Best Western said.

In addition to being scooped by the Sunday Herald, Best Western contradicted itself on how quickly reservations data is deleted from its systems. On August 24, it said the data is purged "promptly upon guest departure." But last Tuesday, the company amended that timing, saying the data is removed within seven days of checkouts.

Most businesses have defined internal processes for handling data breach disclosures, said John Pescatore, an analyst at Gartner. But he said that Best Western officials may have been caught a bit off-guard because the system intrusion was revealed to them by a reporter who was looking to write a story about it and seeking immediate comment from the hotel chain.

The episode shows why companies should simulate various worst-case scenarios when they test their incident-response plans, Pescatore added. Best Western, he said, may have discovered what "many businesses learn the first time they actually have to implement their disaster recovery plan -- 'Oops, we should have had a dry run.'"