Best Western claims customer hack was tiny

The number of people believed to have been affected by an intrusion into an online booking system at the Best Western hotel chain is much smaller than earlier thought, according to the company.

It is now believed that the attackers accessed the personal data of just 10 guests at a hotel in Germany.

That's three fewer than the 13 customer records that Best Western International initially said had been exposed, and a far cry from the 8 million stolen records reported by the Glasgow Sunday Herald, a Scottish newspaper that broke the news of the breach on Sunday.

The story in the Sunday Herald claimed that hackers had made off with the credit card records and other data of every single customer who had stayed at one of Best Western's 1,312 European hotels this year and in 2007.

The paper said the breach was perpetrated last Thursday by a hitherto unknown Indian hacker, who allegedly obtained the log-in credentials for Best Western's online booking system via a keystroke-logging program and then sold the details of how to access the data in the system to a Russian cybercrime gang.

In response, Phoenix-based Best Western on Monday issued a statement dismissing many of the assertions in the Sunday Herald 's story as inaccurate and "grossly unsubstantiated." The hotel chain said its own investigation had shown that the intrusion was limited to just one hotel and that just over a dozen customer records were compromised.

In an update to that statement late yesterday, Best Western identified the hotel where the breach took place as the 107-room Best Western Hotel am Schloss Kopenick in Berlin. The company said that on August 21, three separate attempts were made via a single log-in ID to access reservations data from that hotel. Further investigations have shown that the intrusion resulted in the compromise of information about 10 guests, each of whom has been contacted by the hotel, Best Western said.

The hotel chain said that the log-in ID used to access the hotel's reservations system was immediately deleted after Best Western became aware of the breach. Antivirus software detected a Trojan horse program that had been installed on the system to log keystrokes, the company said, adding that the computer in question has since been "removed from use."

The update also reiterated Best Western's policies for limiting data exposure and noted that the company purges reservations data within seven days of a guest's departure. As a result, the maximum amount of customer reservations data that potentially could have been exposed was limited to the information of current guests, those who had departed within seven days of the intrusion, and people who had booked future stays at the Berlin hotel, Best Western said.