Skip Links

FTC goes after Wyndham for data breaches at its hotels

FBI recently warned travelers of an uptick in malicious software infecting laptops and other devices linked to hotel Internet access points

By , Network World
June 27, 2012 07:37 AM ET

Network World - A little over a month after the FBI warned travelers of an uptick in data being stolen via hotel Internet connections, the Federal Trade Commission has filed a complaint against Wyndham Worldwide Corporation and three of its subsidiaries for alleged data security failures that led to three data breaches at Wyndham hotels in less than two years.

MORE: FBI busts 24 in massive international online financial crime takedown 

IN PICTURES: The year in security mischief-making 

The FTC says Wyndhams, which owns more than 7,000 hotels, alleged security failures led to fraudulent charges on consumers' accounts, millions of dollars in fraud loss, and the export of hundreds of thousands of consumers' payment card account information to an Internet domain address registered in Russia. In its complaint, the FTC alleges that Wyndham's privacy policy misrepresented the security measures that the company and its subsidiaries took to protect consumers' personal information, and that its failure to safeguard personal information caused substantial consumer injury.

The FTC says the repeated security failures exposed consumers' personal data to unauthorized access. Wyndham and its subsidiaries failed to take security measures such as complex user IDs and passwords, firewalls and network segmentation between the hotels and the corporate network. In addition, the defendants allowed improper software configurations which resulted in the storage of sensitive payment card information in clear readable text, the FTC stated.

According to the FTC, each Wyndham hotel has its own property management computer system that handles payment card transactions and stores information on such things as payment card account numbers, expiration dates, and security codes. According to the FTC, in the first breach in April 2008, intruders gained access to a Phoenix Wyndham-branded hotel's local computer network that was connected to the Internet and the corporate network of Wyndham Hotels and Resorts. Because of Wyndham's inadequate security procedures, the breach gave the intruders access to the corporate network of Wyndham's Hotels and Resorts subsidiary, and the property management system servers of 41 Wyndham-branded hotels.

Even after faulty security led to one breach, the FTC charged, Wyndham still failed to remedy known security vulnerabilities; failed to employ reasonable measures to detect unauthorized access; and failed to follow proper incident response procedures. As a result, Wyndham's security was breached two more times in less than two years.

The breach let scammers:

• Install "memory-scraping" malware on numerous Wyndham-branded hotels' property management system servers.

• Access files on Wyndham-branded hotels' property management system servers that contained payment card account information for large numbers of consumers, which was improperly stored in clear readable text.

• Ultimately, the breach led to the compromise of more than 500,000 payment card accounts, and the export of hundreds of thousands of consumers' payment card account numbers to a domain registered in Russia.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News