SAN FRANCISCO – Did a computer intrusion at a Best Western hotel in Germany open the door for a hacker to steal the records of 8 million customers and pull off "the greatest cyber-heist in world history," as a Scottish newspaper put it?
The Phoenix-based hotel chain and the Sunday Herald newspaper of Scotland are duking it out over the paper's story on the data breach. Best Western calls the article "grossly unsubstantiated" and "largely erroneous."
The story said a hacker installed a malicious program on a computer used for reservations at a Best Western hotel, and used it to steal a database containing details on every customer who checked into one of Best Western's 1,312 European hotels since 2007.
The hacker then sold the database through an "underground network operated by the Russian mafia," the story claimed.
Best Western acknowledged that a hacker infiltrated the computer network of one of its hotels in Berlin and installed a data-stealing Trojan horse program on one of the machines.
But Best Western claims the breach was limited to the one hotel and said the hacker didn't have access to other facilities' networks. Best Western said just 10 customers were affected, adding that the FBI and other law enforcement agencies are investigating.
The company said it purges guests' credit card and other data from its systems within seven days of their checkout.
That's a good security practice, but it's not necessarily enough to stop an attacker from stealing the data with a malicious program that grabs information as it is originally entered into the computer system.
Iain Bruce, who is the Sunday Herald's technology editor and the reporter who broke the story, told The Associated Press that the paper stands by the article.
He provided screen shots of what appeared to be Best Western's reservation system and personal details on one of the customers listed there. Though the screen shots show a tool that lets users search records dating back to 2007, it's unclear how much personal information such a search would yield.
Ten customers' names are listed on the screen shot, but the list appears to go on longer, off the screen.
Bruce did not immediately respond to further questions about where he got the screen shots or what proof he had that millions of customers' accounts were compromised.
On that count, Best Western's statement was firm: "There is no evidence of any unauthorized access to any other customer data."