8 million victims in the world's biggest cyber heist (Best Western hotels in Europe)

Source: (Scotland) Sunday Herald

An international criminal gang has pulled off one of the most audacious cyber-crimes ever and stolen the identities of an estimated eight million people in a hacking raid that could ultimately net more than £2.8billion in illegal funds.

A Sunday Herald investigation has discovered that late on Thursday night, a previously unknown Indian hacker successfully breached the IT defences of the Best Western Hotel group's online booking system and sold details of how to access it through an underground network operated by the Russian mafia.

It is a move that has been dubbed the greatest cyber-heist in world history. The attack scooped up the personal details of every single customer that has booked into one of Best Western's 1312 continental hotels since 2007.

... "They've pulled off a masterstroke here," said security expert Jacques Erasmus, an ex-hacker who now works for the computer security firm Prevx. "There are plenty of hacked company databases for sale online but the sheer volume and quality of the information that's been stolen in the Best Western raid makes this particularly rare. The Russian gangs who specialise in this kind of work will have been exploiting the information from the moment it became available late on Thursday night. In the wrong hands, there's enough data there to spark a major European crime wave."

Read more: http://sundayherald.com/news/heraldnews/display.var.2432225.0.0.php

don't they need to keep that information on the servers so they can cater to their customers' every whim?

Two things have come together to make cybercrime easy and rewarding: Windows servers, and reliance on the Internet as your wide-area network. Back in the Old Days, you ran either a midrange system or a mainframe as your server, and you relied on a satellite link to your corporate headquarters. It probably would have been possible to hack into this, but it would have been a hell of a lot harder than it is now.

I'm starting to see a transition back toward satellite WANs. Most if not all state lotteries use it, some convenience store chains use it, probably the auto industry never left it. It's real simple, folks: if you put sensitive corporate data on a computer that's connected to the Internet, even if it's encrypted, assume someone will steal it.

The first step is to get rid of all the MBAs. I don't think we'd be in this much trouble if we hadn't listened to the MBAs. Check it out: there's a very right-wing college just up the road from Fayetteville that offers the MBA. I was reading their business school's yearly magazine once, and they discussed this seminar some famous MBA gave to the students. In it he told them to make sure to only use the cheapest materials available because you can't make money using quality ingredients. If I was that guy's boss I would have fired him the second I heard about that speech: "What exactly have you done to my company?"

would be happy with a "Hello Mr. X, nice to have you back!" The fact is that we simply keep too much information in databanks. There was obviously something worth stealing and the mere fact that somebody stayed in a Best Western wasn't it.

As far as the MBA thing goes. I was in a shipyard and the Ship's Superintendent for my vessel was an MBA with no engineering background. And of course we have a president with an MBA.

and protect the privacy requirements of their clientele.

This is obscene.

The first is cheapness. This is what happens when companies decide that best practices of data and network security are too expensive. Usually, these are decisions made by mid-level management to prove they are good boys who can keep their budgets low, and signed off on by clueless pogue CTO/CIO level execs. Rather than upgrading software, running security audits and developing and implementing new and stronger security schemes, they stick with the insecure and vote themselves bonuses.

The second is incompetence at every level. When you get rid of well-paid and experienced IT people, hire far less experienced and far less paid people to replace them or outsource most of your IT functions to relatively faceless countries and companies, a tactic that is well known for resulting in abysmal work product and personnel with either no credentials, false credentials or credentials that bear no relationship to real experience, knowledge of the issues at hand or experience...well, this is what you get. Add to that managerial-level staff that have the same issues of quals and competence and it is an amazement that there has not been more of this.

Data and network security is a fluid, dynamic and on-going process. It is holistic, not linear.

Totally agree with your assessment. You get what you pay for, garbage in garbage out, etc. There are a number of cliches that come to mind in regards to companies cutting corners in their IT departments in order to save on expense.

The only ones who "care" in these situations are the IT "professionals" and managers with real business knowledge and experience who see it in real life. Those are skills that are grown and nurtured. Caring about the business one is in, caring about ones own professionalism is something you don't get when you hire those faceless companies and countries. It is also something that doesn't exist when incompetence rules the day.

Where I live we have a major credit card processing company that is outsourcing the programming and operations to another country. Now who's going to own the data? For all practical purposes, it's the people who work with it. Very short sighted of any company to do this.

Apparently programmers were also told that they wouldn't get a severance package if they didn't assist with training the "new" people. Think about what that does for morale.

Beancounters and those who listen to them -- tchah!! (My apologies to any true accountants here -- there is a difference between the two professions.)

chickens ... roosting.

Big corporations never seem to learn, but it's not like it's their ox that's getting gored, until their customers start leaving them after the damage is already done. :(

It was near the museums and very reasonable. Really nice little hotel.

A long time ago.

I have reservations in Europe in October and December at Best Westerns so really appreciated the heads up on this from the OP. Just talked to Best Western, who referred me to AMEX. Amex has a special office set up re this. I will not be liable for any bogus charges on the card I used. And I changed my card to get a new expiration date and security code. However, another possiility mentioned in the linked article is selling bundles of names, addresses and dates of trips to circles of thieves who will then know when you'll be away from home.

The number for AMEX re this matter is 1-800-545-5058.