Best Western has lost the details on every single customer it has had in Europe over the past 12 months.  8 million customers have now had their private details exposed in one of the largest security breaches ever in Europe.

A Sunday Herald investigation has discovered that late on Thursday night, a previously unknown Indian hacker successfully breached the IT defences of the Best Western Hotel group’s online booking system and sold details of how to access it through an underground network operated by the Russian mafia.

It is a move that has been dubbed the greatest cyber-heist in world history. The attack scooped up the personal details of every single customer that has booked into one of Best Western’s 1312 continental hotels since 2007.

Amounting to a complete identity-theft kit, the stolen data includes a range of private information including home addresses, telephone numbers, credit card details and place of employment.

Because the compromised information included future bookings, the gang now has the capacity to sift through the data and sell “burglary packs”, giving the home addresses of local victims and the dates on which they are expected to be away from their home.

While this is damaging news, Best Western’s CEO made a comment on the Sunday Herald story and is claiming that the theft isn’t as big as first reported.

You may be aware on Sunday 24th August the Scottish Herald printed a story claiming a hacker had gained access to Best Western guest information. This story is grossly unsubstantiated!

After a detailed investigation we can confirm that on 21st August a single hotel in Germany was compromised by a virus. The compromise permitted access to reservations data for that property only. This has affected only ten customers who we are currently being contacted to offer our assistance, none of these were GB customers. There is no evidence of any unauthorized access to any other customer data. Most importantly Best Western purges all reservations data within seven days of guest departure.

We are working with the FBI and other international authorities to investigate further.

So, they think it was only one hotel, but they are still investigating.  If they were sure it was one hotel and ten customers, there would be no need for further investigation.  Just because there is no evidence of unauthorized action doesn’t mean that it didn’t happen, nor does it mean that authorized action didn’t happen.

Debate and analysis is ongoing, however, regardless of whether it was 10 customers or 8 million, this is still a serious security breach.    It is also curious how a reporter was able to obtain a screenshot of data going back nearly a year when Best Western claims that it only keeps such records for seven days after guest departure.

A trojan is difficult to detect and can easily hide within a system.  They disguise themselves as something innocuous and continue to steal little bits of information until detected and purged.  If one account or system is infected, it is likely that many more are too.