A breach in a key computer system holding data for the Best Western hotel chain may have allowed the Russian mafia to steal information on 8 million customers, if an uncritical story in Scotland’s Sunday Herald proves accurate.

The article, which appeared on Sunday, claims that an Indian hacker with no prior cybercriminal background managed to get a Trojan-horse program installed on a key system inside Best Western’s network. The malicious code reportedly recorded the login credentials of one of the hotel chain’s employees, which the hacker proceeded to sell to a group of Russian cybercriminals.

Yet, the news report is long on hyperbole. Phrases such as “one of the most audacious cybercrimes ever” and “the greatest cyber-heist in world history” pepper the article and ignore a long list of previous — and larger — data thefts, such as the breach of TJX and the hacking of CardSystems Solutions. Moreover, in two press releases, Best Western debated details of the article and denied that the extent of the attack was as bad as claimed by the Sunday Herald.

“We can confirm that on August 21, 2008, three separate attempts were made via a single log-on ID to access the same data from a single hotel,” the company said in a statement released late Monday. “The hotel in question is the 107-room Best Western Hotel am Schloss Kopenick in Berlin, Germany, where a Trojan horse virus was detected by the hotel’s antivirus software.  The compromised log-in ID permitted access to reservations data for that property only. The log-in ID was immediately terminated, and the computer in question has been removed from use.”

Best Western said that it had narrowed down the number of customers affected to 10.

While companies and organizations frequently downplay the impact of breaches — the University of Southern California, for example, did not initially acknowledge the full extent of a breach of its online application system — the lack of sources in the original Sunday Herald article leave the newspaper’s claims in doubt. Other media outlets repeated the story uncritically.

Best Western referred to the Sunday Herald story as “largely erroneous.”

The hotel chain has pledged to continue to monitor for fraudulent activity, work with law enforcement authorities and credit-card companies to investigate the breach, and institute greater security measures. Best Western has already notified the FBI and international law enforcement, the company said in its statement.

Article Source