Best Western Forced to Play Defense on Breach Disclosure

The hotel chain disputed a newspaper report that it had been hit by a massive data breach. But could it have done a better job of defusing the issue?

The headline in the Glasgow Sunday Herald — "Revealed: 8 Million Victims in the World's Biggest Cyber Heist" — was a grabber.

And it certainly got the attention of Best Western International Inc., which found itself scrambling to do damage control after the Scottish newspaper reported that hackers had broken into the hotel chain's online reservation system and stolen 8 million customer records. The theft netted data on everybody who had stayed at Best Western's 1,312 European hotels this year and in 2007, according to the Sunday Herald.

After the story appeared on Aug. 24, Phoenix-based Best Western acknowledged that the Herald had alerted it to a "possible compromise" of data. But the company disputed the newspaper's claims about the scope of the system intrusion, saying that the story was "grossly unsubstantiated." Best Western said the breach had affected just 13 customers at a single hotel in Berlin — a number that it later reduced to 10.

Nonetheless, the company couldn't stanch the flow of online stories and blog posts about the data breach that followed the publication of the Herald's story. Best Western's experience highlights the public relations problems that can result from breach disclosures and the need for companies to have comprehensive incident-response plans for dealing with such disclosures.

Delayed Disclosure

In Best Western's case, it could have beaten the newspaper to the punch by breaking the news about the breach itself. The intrusion took place on Aug. 21. According to the Herald, it brought the incident to the company's attention the following day, two days before the story was published.

In comments sent via e-mail last week, a Best Western spokeswoman indicated that the company was blindsided by the Herald's claims about the scope of the breach. The reporter didn't ask about the possibility that 8 million records had been stolen, the spokeswoman said. She said that he simply asked for the number of Best Western hotels and rooms in Europe and that he appeared to have used those numbers to extrapolate the 8 million figure.

A company whose systems have been breached should fully understand the scope before going public, said Chris Hoofnagle, senior staff attorney at the Berkeley Center for Law and Technology at the University of California, Berkeley.

Best Western may not have been fully aware of what it was about to be hit by. But in general, it's better for companies to disclose breaches before someone else does it for them, said Kirk Nahra, an attorney who specializes in data privacy and security issues at Wiley Rein LLP in Washington.

Corporate executives are often hesitant to do so, Nahra acknowledged, noting that they have to think about different audiences when disclosing breaches — including "lawyers looking to file lawsuits." But, he said, "the issue is how you control it. You do what you can to make it a one-day story, not a 10-day story."

It took Best Western until last Tuesday to detail its version of the breach. In a statement issued that day, the company said the incident involved a compromised user ID that provided access only to data stored at the Berlin hotel. The ID was "immediately terminated," and a computer found to contain a Trojan horse program was removed from use, Best Western said.

In addition to being scooped by the Herald, Best Western contradicted itself on how quickly reservations data is deleted from its systems. On Aug. 24, it said the data is purged "promptly upon guest departure." But last Tuesday, the company amended that timing, saying the data is removed within seven days of checkouts.

John Pescatore, an analyst at Gartner Inc., said Best Western officials might have been caught a bit off-guard because the breach was brought to their attention by a reporter.

But the episode shows why companies should simulate various worst-case scenarios when they test their incident-response plans, Pescatore added. Best Western, he said, may have discovered what "many businesses learn the first time they have to implement their disaster recovery plan — 'Oops, we should have had a dry run.'"

This version of the story appeared in Computerworld's print edition.

Copyright © 2008 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon