FTC files lawsuit over data breaches at large hotel operator

The agency alleges that Wyndham Worldwide failed to take appropriate security measures in three breaches

The U.S. Federal Trade Commission has filed a lawsuit against hotel operator Wyndham Worldwide and three of its subsidiaries after three data breaches at Wyndham hotels in less than two years, the agency announced Tuesday.

The three breaches, in 2008 and 2009, led to millions of dollars in fraud losses and the export of hundreds of thousands of customers' payment card information to an Internet domain address in Russia, the FTC said in a press release.

Wyndham failed to take appropriate security measures to protect customers' personal data, the FTC alleged. In some cases, Wyndham stored customers' payment card information in clear text, the agency alleged.

The FTC has asked the U.S. District Court for the District of Arizona to order Wyndham to stop deceiving customers about its information security practices and to order Wyndham to refund lost money to customers.

In its complaint, the FTC alleged that Wyndham's privacy policy misrepresented the security measures the company and its subsidiaries took to protect consumers' personal information. The company's failure to safeguard personal information caused substantial injury to customers, the FTC alleged.

Wyndham's security practices were unfair and deceptive and violated the FTC Act, the agency alleged.

Wyndham "cooperated fully" with an FTC investigation into the breaches, the company said in a statement.

"At the time of these incidents, we made prompt efforts to notify the hotel customers whose information may have been compromised, and offered them credit monitoring services," the company added. "To date, we have not received any indication that any hotel customer experienced a financial loss as a result of these attacks."

Since the breaches, Wyndham has made "significant enhancements" to its information security practices, the company said.

Wyndham regrets the FTC's decision to pursue a lawsuit and will defend against the claims "vigorously," the company added.

Wyndham and its subsidiaries license the Wyndham name to approximately 90 independently owned hotels. Wyndham hotels also include Ramada, Super 8, Days Inn and Howard Johnson.

Since 2008, the Wyndham Hotels and Resorts website has said, "We recognize the importance of protecting the privacy of individual-specific (personally identifiable) information collected about guests, callers to our central reservationcenters, visitors to our Web sites, and members participating in our Loyalty Program."

But repeated security failures exposed consumers' personal data to unauthorized access. Wyndham and its subsidiaries failed to take security measures such as complex user IDs and passwords, firewalls and network segmentation between the hotels and the corporate network, the agency alleged. 

Wyndham also allowed improper software configurations resulting in the storage of sensitive payment card information in clear readable text.

Each Wyndham-branded hotel has its own property-management computer system to handle payment card transactions, the FTC said. Each system stores payment card account numbers, expiration dates, and security codes. 

In the first breach, in April 2008, intruders gained access to a Phoenix Wyndham-branded hotel's local computer network and the corporate network of Wyndham Hotels and Resorts. The intruders were able to install so-called memory-scraping malware on numerous Wyndham-branded hotels' property management system servers.

The breach gave the intruders access to the corporate network of Wyndham's Hotels and Resorts subsidiary, and the property management system servers of 41 Wyndham-branded hotels, the FTC said. The breach led to the compromise of more than 500,000 payment card accounts, with many account numbers exported to a domain registered in Russia, the FTC said.

After the first breach, Wyndham failed to fix the security vulnerabilities and failed to use reasonable measures to detect unauthorized access, the FTC said.

Then, in March 2009, intruders again gained unauthorized access to Wyndham Hotels and Resorts' network, using similar techniques as in the first breach, the agency said. Intruders installed memory-scraping malware and reconfigured software at the Wyndham-branded hotels to obtain clear text files containing the payment card account numbers of guests. Intruders were able to access information on more than 50,000 payment card accounts at 39 Wyndham-branded hotels and use the accounts to make fraudulent charges, the FTC said.

Later in 2009, intruders again installed memory-scraping malware and thereby compromised Wyndham Hotels and Resorts' network and the property management system servers of 28 Wyndham-branded hotels. The intruders were able to access information for approximately 69,000 consumer payment card accounts and again make fraudulent purchases on those accounts.

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is grant_gross@idg.com.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Grant Gross

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place