The number of people believed to have been affected by an intrusion into an online booking system at the Best Western hotel chain last month is smaller than earlier thought, according to the company, which says that the attackers accessed the personal data of just 10 guests at a hotel in Germany.
That's three fewer than the 13 customer records that Best Western International initially said had been exposed, and a far cry from the 8 million stolen records reported by the Glasgow Sunday Herald, a Scottish newspaper that broke the news of the breach on Sunday.
The story in the Sunday Herald claimed that hackers had made off with the credit card records and other data of every single customer who had stayed at one of Best Western's 1,312 European hotels this year and in 2007. The paper said the breach was perpetrated by a hitherto unknown Indian hacker, who allegedly obtained the log-in credentials for Best Western's online booking system via a keystroke-logging program and then sold the details of how to access the data in the system to a Russian cybercrime gang.
In response, Phoenix-based Best Western issued a statement dismissing many of the assertions in the Sunday Herald 's story as inaccurate and "grossly unsubstantiated". The hotel chain says its own investigation had shown that the intrusion was limited to just one hotel and that just over a dozen customer records were compromised.
In an update to that statement, Best Western identifies the hotel where the breach took place as the 107-room Best Western Hotel am Schloss Kopenick in Berlin. The company says that on August 21, three separate attempts were made via a single log-in ID to access reservations data from that hotel. Further investigations have shown that the intrusion resulted in the compromise of information of about 10 guests, each of whom has been contacted by the hotel, Best Western says.
The hotel chain says the log-in ID used to access the hotel's reservations system was immediately deleted after Best Western became aware of the breach. Antivirus software detected a Trojan horse program that had been installed on the system to log keystrokes, the company says, adding that the computer in question has since been "removed from use".
The update also reiterated Best Western's policies for limiting data exposure and noted that the company purges reservations data within seven days of a guest's departure. As a result, the maximum amount of customer reservations data that potentially could have been exposed was limited to the information of current guests, those who had departed within seven days of the intrusion, and people who had booked future stays at the Berlin hotel, Best Western says.