The Sunday Herald, reported late last week that hackers placed a trojan on the hotel chain's European reservation system, capturing a clerk's password to gain entry to the group's online booking system.
The intruders then reportedly sold details of how to gain access to the system to a Russian gang. The attack was noticed when the Best Western database, which included guests' names and credit card numbers, was offered for sale on an underground forum.
Responding to the newspaper report, Best Western issued a statement admitting there had been a breach, but claimed on Friday that it closed the entry point in its system that allowed access to the hackers. The company also refuted claims that its data had been compromised. It also sought to reassure its customers that it is taking appropriate action.
The chain, which has more than 4,200 hotels in 80 countries, responded that the charges in the newspaper report were “grossly unsubstantiated…We have found no evidence to support the sensational claims ultimately made by the reporter and newspaper.”
It also stated that it complies with Payment Card Industry (PCI) Data Security Standard (DSS), and that to maintain that compliance, it uses a “secure network protected by firewalls and governed by a strong information security policy.”
The chain added that it only collects credit card details when processing a reservation and then encrypts that information, deleting it when the guest departs. Also, the company restricts access to that data to only those people who require it.
However, despite these appropriate information security strategies, experts point out that there are ways a hacker may have gained entry to the company's network, most likely via a traffic-sniffing trojan.