On August 26, 2008, the Sunday Herald reported that a hacker had broken into the Best Western reservations system and stolen personal and financial data about eight million Best Western customers, including credit card numbers. According to the report, the thief had installed a virus on the machine of an employee of a local hotel and used that virus to log the employee’s username and password for the hotel system. With that login information, the thief had simply and quickly mined the hotel reservation system for all the information about all of Best Western’s customers. The original report quoted a security expert in exclaiming that “there’s enough data there to spark a major European crime wave.” Accustomed to a string of announcements about large scale data breaches, news media and blogs across the Internet amplified the report.
Almost immediately the CIO of Best Western posted a comment on the Sunday Herald story’s web page asserting that “This story is grossly unsubstantiated! … This has affected only ten customers who we are currently being contacted to offer our assistance, none of these were GB customers.” Within a couple of days, Information Week posted an interview with the CIO of Best Western, in which he argued that individual hotel clerks have access only to accounts for their local hotels, that credit card information is deleted from the system within seven days of use, and that the reporter of the original story had basically made up the eight million number out of whole cloth. Neither the Sunday Herald nor the original reporter have amended the story or commented on the claims that they exaggerated the problem. The reporter claimed to have screenshots that showed the entire database of eight million accounts but has not posted those screenshots or further evidence of a large scale data breach.
Notwithstanding the well established habit for companies to attempt to minimize the importance of their data breaches, the bulk of the evidence suggests that the Best Western side of the story is much more likely to be the closest to the truth. Hacker or not hacker, it would be egregious to allow a single hotel clerk from a local hotel access to the credit card details of every single Best Western customer. Likewise, it would be horrible security practice not to monitor access to sensitive customer information by authorized users (as the CIO claims that his systems were doing). With thousands of such local clerks, it would be inevitable that some of them would fall to the temptation of stealing account information without need for any sophisticated software. This is not to say that such a data breach is not possible or that more egregious data breaches have not happened. But without more evidence, it seems very likely that the original reporter got carried away and assumed a much greater breach than actually happened.
What’s interesting about the case is the difficulty of telling exactly what happened and what that difficulty says about the state of security and privacy online. Despite claims of a massive crime wave, the system of social insurance set up around credit cards is able to handle large scale breaches of account information without widely visible effects on customers. For example, the 2007 T. J. Maxx data breach exposed more than 45 million credit card numbers. The FBI reported millions of dollars in theft from Walmart, but that level of theft is line noise within the total credit cards sales for Walmart, let alone for all credit card transactions.
The card companies are able to detect fraudulent card uses in many or most cases and either refuse them or charge them back to the merchants (resulting in higher prices by the merchants). Thieves are more likely to charge small amounts to large numbers of cards than large amounts to individuals cards to avoid notice, further mitigating the amount of damage done. Fraudulent charges that are noticed by customers are eaten by the card companies (and passed on in large to customers as credit card charges), and those that are not are simply eaten by the customers. But again the charges that are most likely not to noticed are small ones. The card companies don’t want customers to feel that their cards are not secure, so they do not widely publish this information to customers, but the industry is structured simply to eat some small percentage of fraudulent charges simply as the price of using credit cards widely.
Because of large scale data breaches and the general insecurity of our current computing / Internet infrastructure, credit card numbers at this point are basically an advisory security feature. They are just secret enough to let other folks know that it is wrong to use them, but not secret enough to stop a bad guy from getting access to them. The credit card companies have a strong vested interest, however, in the idea that credit cards are strongly secure, because customers will stop using them if they feel they can’t be trusted. So they encourage the idea that credit cards are secure, while implementing strong mechanisms on the back end (such as increasingly aggressive fraud detection algorithms) to deal with the fact that they are not.
Massive breaches of credit card like the T. J. Maxx case and the alleged Best Western case highlight the nature of this shell game, though. The system can absorb the loss of tens of millions of card numbers with little or not impact to end customers en masse. But because the credit cards have this interest in hiding what’s actually happening, it’s very difficult to decode these cases. They fade into the background in one way or another — either because the there was no data breach or because the system of social insurance created by the credit card companies absorbs the costs with little real impact on end customers. The only thing we can tell from the cases is the shell game nature of credit card numbers (and online privacy in general, but that’s an argument for further posts!).