FYI: Revealed: 8 million victims in the world's biggest cyberheist [Best Western Hotel group]

[Roland Perry]

In article <zEy$XzBUTisIFANW@highwayman.com>, Richard Clayton 
<richard@highwayman.com> writes
>   Most importantly, whereas the reporter asserted the recent compromise
>   of data for past guests from as far back as 2007, Best Western purges
>   all online reservations promptly upon guest departure.

That must be a bit inconvenient for the "frequent flyer" programme [Gold 
Crown Club International tm], unless they regard that as a completely 
separate piece of IT. I am not familiar with the GCCI, but several such 
programmes keep a long term copy of guest information centrally to 
expedite check-in [1]. Indeed, that might be where the otherwise curious 
reference to "place of employment" in the stolen dataset derives from 
(corporate membership of the club).

In any event you'd expect details to be kept for long enough to be able 
to resolve any billing disputes.

[1] Which is why the hotel staff need access. One security measure might 
be to highlight any staff member whose account suddenly generates more 
than a few dozen queries a day, or queries spread all around a 24hr 
shift.
-- 
Roland Perry