As scoops go, it was massive. Eight million customers of the hotel chain Best Western had their credit card details stolen last week by an Indian hacker with ties to the Russian mob. The loot is worth £2.8 billion to the thieves, Glasgow's Sunday Herald revealed, using a back-of-the-envelope calculation that would make the editor of any Sunday newspaper blush. Holidaymakers' credit card details, we were informed, could be unwittingly funding a European criminal enterprise without equal.

"In the wrong hands, there's enough data there to spark a major European crime wave," the security expert and presumed tipster warned The Herald. Simply put, this was "the greatest cyber-heist in world history."

The Herald, we were also informed, notified the hotel chain before publishing the story. The company thanked the paper for its vigilance and closed the breach, we learnt.

End of story. The public is alerted. The breach is closed. The risk is taken care of. The only thing left is for poor fools like me who booked a room in a Best Western over the past year to ring up the company and find out what damage has been done. If my Visa card is being used to fund arms smuggling, or heroin transport or to buy cases of Red Bull for teenage coders I want to know.

But by Sunday evening (Monday morning in Europe), the story had changed. Best Western, so thankful to The Herald in the original report, was now irate. It issued a statement dismissing the paper's "grossly unsubstantiated" article. "We have found no evidence to support the sensational claims ultimately made by the reporter and newspaper," the statement read.

Huh? But The Herald quoted you, Best Western, in the original article admitting to some type of breach. You also said you were working with credit card partners to protect customers. And now there's no breach whatsoever?

For the next 36 hours, confusion reigned. A Google News search pulled up over 200 articles debating whether Best Western had or had not been hacked. Meanwhile, dozens of IT specialist publications jumped in, attacking The Herald's reportage in a never-send-a-boy-to-write-about-a-man's-topic crusade. As Jason Lee Miller writes, "Good luck in finding them; the cyber-Ruskies are generally untraceable, except by reporters monitoring secret underground websites."

By late Tuesday, Best Western was back again with a third statement, this one contradicting its second statement. In fact, there was a data breach, the company now informed the public. But just ten customers were affected, not eight million. And, it was only guests of the Best Western Hotel am Schloss Kopenick in Berlin, it pointed out. (I was in the clear. I haven't been to Berlin in years.)

In an unusual move, a message also appeared in the reader response area to the original Herald article on Tuesday evening purporting to be from Best Western chief executive David Clarke. It divulged a new detail: no customers from "GB" were victims of the attack.

Still, the damage is done. There are doubts hanging over everyone involved in this story. The credibility of The Herald's original reporting is rightly under fire. In reporting the details in such an alarmist and hyperbolic prose it's hard to take any detail seriously. And yet, the reporter has performed a real public service. If he hadn't notified the hotel of the hack attack, there's a chance the breach would still be unpatched today and that the number of victims would be, by now, well above ten. No, not a "major European crime wave", but for victims of the hack attack, it would be a real hassle.

The worst marks go to Best Western. In changing its story so many times, it left the public baffled about the extent of the damage and who, if anybody, is at risk.

"The response by Best Western is certainly not the best response we could have had," says Lars Davies, managing director of Kalypton Limited, a UK-based firm that specialises in data compliance and protection matters in Europe, North America and Asia. "The worst thing to do is to issue an outright denial and then reveal in bits and bobs that there was an actual breach. The question people will be asking is: 'what else are you hiding?'"

Sadly, the muddled response issued by Best Western's PR team is not all that unusual given the confusing nature of these types of attacks and the unfamiliarity for how a company should deal with them legally. It's baffling when you consider how many data breaches appear to be occurring each week. Has the business world learned nothing from these intrusions? Is the head-in-the-sand to be the standard response?

The good news is that regulators are insisting on a more timely and comprehensive response to data leaks from companies. In Europe this is governed by the EU Data Protection Directive. It's interpreted differently in each country. For example, in Germany, where the Best Western breach allegedly occurred, regulators strictly enforce public disclosure requirements, Mr Davies says. "In the UK, it's more slack," he says, but the UK is beginning to get tough on companies who fail to respond quickly to patch their network and inform victims. Last year, the Nationwide building society was forced to pay a £980,000 fine for losing a laptop containing customer data. The size of the fine, the largest in the UK, was defined not by the size of the breach, but by how long it took for Nationwide – in this case, three weeks – to do anything about it.

As the Best Western admission-denial-admission merry-go-round shows, companies hit by a cyber attack still appear to be more concerned with protecting their reputation first than with their customers' needs and concerns. As fines for inadequate disclosure loom larger, this is bound to change. As Mr Davies says, "regulators have to decide: who do you want to protect? Big business or the consumer? But if you don't protect the consumer you won't have any more business."

---

Bernhard Warner, a freelance journalist and media consultant, writes about technology, the internet and media industries. He can be reached at techscribe@gmail.com