Fwd: [Dataloss] Best Western Response

["Paul Ferguson" <fergdawg () netzero net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

FYI.

- - ferg

[snip]

From: jkouns <jkouns () opensecurityfoundation org>
To: dataloss () attrition org


http://www.marketwatch.com/news/story/best-western-responds-sunday-herald/s
tory.aspx?guid={A87F9682-AC67-4803-A135-B6ACF42C0956}&dist=hppr

Best Western Responds to Sunday Herald Story Claiming Security Breach
Hotel Chain Asserts No Evidence to Support Sensational Claims
Last update: 6:37 p.m. EDT Aug. 24, 2008

PHOENIX, Aug 24, 2008 (BUSINESS WIRE) -- The story printed in the 
Sunday, August 24, 2008, Glasgow Sunday Herald claiming a security 
breach of Best Western guest information is grossly unsubstantiated. 
Claims reported about our Central Reservations customer records are not 
accurate. We at Best Western take the confidentiality of our customers' 
personal information very seriously. The Sunday Herald reporter brought 
to our attention the possible compromise of a select portion of data at 
a single hotel; we investigated immediately and provided commentary. 
Best Western would have welcomed the opportunity to fact-check the 
story, which would have resulted in more accurate and credible reporting 
on the part of the newspaper. We have found no evidence to support the 
sensational claims ultimately made by the reporter and newspaper.

Most importantly, whereas the reporter asserted the recent compromise of 
data for past guests from as far back as 2007, Best Western purges all 
online reservations promptly upon guest departure.

Best Western is committed to safeguarding the confidential information 
of our guests. We comply with the Payment Card Industry (PCI) Data 
Security Standards (DSS). To maintain that compliance, Best Western 
maintains a secure network protected by firewalls and governed by a 
strong information security policy. We collect credit card information 
only when it is necessary to process a guest's reservation; we restrict 
access to that information to only those requiring access and through 
the use of unique and individual, password-protected points of entry; we 
encrypt credit card information in our systems and databases and in any 
electronic transmission over public networks; and again, we delete 
credit card information and all other personal information upon guest 
departure. We regularly test our systems and processes in an effort to 
protect customer information, and employ the services of 
industry-leading third-party firms to evaluate our safeguards.

PCI requires the periodic evaluation, testing, and re-certification of 
compliance. To that end, our most recent internal review was conducted 
in August 2008, as was our most recent external test and review. Both 
evaluations showed Best Western to be compliant with PCI DSS.
Best Western would like to assure our customers, member hotels and 
business partners that we have no evidence to suggest that there is need 
for widespread concern. As a precautionary measure, now and always, we 
advise guests to review their credit card statements closely, and we 
will of course continue to comply with PCI standards going forward. 
Customer inquiries should be directed to our US customer service team 
at 800 528-1238

SOURCE: Best Western International

Best Western International 
Troy Rutman, 00 + 1 +602.578.0086 (mobile) 
00 + 1 +602.957.5668 (office) 
Troy.Rutman () bestwestern com

_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss

[end]

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)

wj8DBQFIskdHq1pz9mNUZTMRAtB0AKD78p7laMriSEbBLrNgQ6FEup2I6ACdESsY
iDDLSmn1xSomRDUX+cq5kXA=
=WeCW
-----END PGP SIGNATURE-----

--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.