[Dataloss] Best Western Response

Mon Aug 25 11:15:39 UTC 2008

On Sunday 24 August 2008 22:39:47 jkouns wrote:
> http://www.marketwatch.com/news/story/best-western-responds-sunday-herald/s
>tory.aspx?guid={A87F9682-AC67-4803-A135-B6ACF42C0956}&dist=hppr
>
> Best Western Responds to Sunday Herald Story Claiming Security Breach
> Hotel Chain Asserts No Evidence to Support Sensational Claims
> Last update: 6:37 p.m. EDT Aug. 24, 2008
>
> PHOENIX, Aug 24, 2008 (BUSINESS WIRE) -- The story printed in the
> Sunday, August 24, 2008, Glasgow Sunday Herald claiming a security
> breach of Best Western guest information is grossly unsubstantiated.
> Claims reported about our Central Reservations customer records are not
> accurate. We at Best Western take the confidentiality of our customers'
> personal information very seriously. The Sunday Herald reporter brought
> to our attention the possible compromise of a select portion of data at
> a single hotel; we investigated immediately and provided commentary.
> Best Western would have welcomed the opportunity to fact-check the
> story, which would have resulted in more accurate and credible reporting
> on the part of the newspaper. We have found no evidence to support the
> sensational claims ultimately made by the reporter and newspaper.
>
> Most importantly, whereas the reporter asserted the recent compromise of
> data for past guests from as far back as 2007, Best Western purges all
> online reservations promptly upon guest departure.
>
> Best Western is committed to safeguarding the confidential information
> of our guests. We comply with the Payment Card Industry (PCI) Data
> Security Standards (DSS). To maintain that compliance, Best Western
> maintains a secure network protected by firewalls and governed by a
> strong information security policy. We collect credit card information
> only when it is necessary to process a guest's reservation; we restrict
> access to that information to only those requiring access and through
> the use of unique and individual, password-protected points of entry; we
> encrypt credit card information in our systems and databases and in any
> electronic transmission over public networks; and again, we delete
> credit card information and all other personal information upon guest
> departure. We regularly test our systems and processes in an effort to
> protect customer information, and employ the services of
> industry-leading third-party firms to evaluate our safeguards.
>
> PCI requires the periodic evaluation, testing, and re-certification of
> compliance. To that end, our most recent internal review was conducted
> in August 2008, as was our most recent external test and review. Both
> evaluations showed Best Western to be compliant with PCI DSS.
> Best Western would like to assure our customers, member hotels and
> business partners that we have no evidence to suggest that there is need
> for widespread concern. As a precautionary measure, now and always, we
> advise guests to review their credit card statements closely, and we
> will of course continue to comply with PCI standards going forward.
> Customer inquiries should be directed to our US customer service team
> at 800 528-1238
>
> SOURCE: Best Western International
>
> Best Western International
> Troy Rutman, 00 + 1 +602.578.0086 (mobile)
> 00 + 1 +602.957.5668 (office)
> Troy.Rutman at bestwestern.com
>
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
>
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and monitor your
> traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml

I just want to know this:  if they purge the data in their system so often, 
then how come I can call Best Western and make a reservation on my Visa card, 
without informing them of the number?  and I haven't slept in a Best Western 
in 5 years? hmm....go figure!