FTC goes after Wyndham for data beaches at its hotels

A little over a month after the FBI warned travelers of an uptick in data being stolen via hotel Internet connections, the Federal Trade Commission has filed a complaint against Wyndham Worldwide Corporation and three of its subsidiaries for alleged data security failures that led to three data breaches at Wyndham hotels in less than two years.

MORE: FBI busts 24 in massive international online financial crime takedown 

IN PICTURES: The year in security mischief-making 

The FTC says Wyndhams, which owns more than 7,000 hotels, alleged security failures led to fraudulent charges on consumers' accounts, millions of dollars in fraud loss, and the export of hundreds of thousands of consumers' payment card account information to an Internet domain address registered in Russia. In its complaint, the FTC alleges that Wyndham's privacy policy misrepresented the security measures that the company and its subsidiaries took to protect consumers' personal information, and that its failure to safeguard personal information caused substantial consumer injury.

The FTC says the repeated security failures exposed consumers' personal data to unauthorized access. Wyndham and its subsidiaries failed to take security measures such as complex user IDs and passwords, firewalls and network segmentation between the hotels and the corporate network. In addition, the defendants allowed improper software configurations which resulted in the storage of sensitive payment card information in clear readable text, the FTC stated.

According to the FTC, each Wyndham hotel has its own property management computer system that handles payment card transactions and stores information on such things as payment card account numbers, expiration dates, and security codes. According to the FTC, in the first breach in April 2008, intruders gained access to a Phoenix Wyndham-branded hotel's local computer network that was connected to the Internet and the corporate network of Wyndham Hotels and Resorts. Because of Wyndham's inadequate security procedures, the breach gave the intruders access to the corporate network of Wyndham's Hotels and Resorts subsidiary, and the property management system servers of 41 Wyndham-branded hotels.

Even after faulty security led to one breach, the FTC charged, Wyndham still failed to remedy known security vulnerabilities; failed to employ reasonable measures to detect unauthorized access; and failed to follow proper incident response procedures. As a result, Wyndham's security was breached two more times in less than two years.

The breach let scammers:

• Install "memory-scraping" malware on numerous Wyndham-branded hotels' property management system servers.

• Access files on Wyndham-branded hotels' property management system servers that contained payment card account information for large numbers of consumers, which was improperly stored in clear readable text.

• Ultimately, the breach led to the compromise of more than 500,000 payment card accounts, and the export of hundreds of thousands of consumers' payment card account numbers to a domain registered in Russia.

In May, the FBI warned travelers there had been an uptick in malicious software infecting laptops and other devices linked to hotel Internet connections. The FBI wasn't specific about any particular hotel chain, nor the software involved but stated: "Recent analysis from the FBI and other government agencies demonstrates that malicious actors are targeting travelers abroad through pop-up windows while they are establishing an Internet connection in their hotel rooms."

The FBI recommended that all government, private industry, and academic personnel who travel abroad take extra caution before updating software products through their hotel Internet connection. Checking the author or digital certificate of any prompted update to see if it corresponds to the software vendor may reveal an attempted attack. The FBI also recommends that travelers perform software updates on laptops immediately before traveling, and that they download software updates directly from the software vendor's website if updates are necessary while abroad."

The FBI said typically travelers attempting to set up a hotel room Internet connection were presented with a pop-up window notifying the user to update a widely used software product. If the user clicked to accept and install the update, malicious software was installed on the laptop. The pop-up window appeared to be offering a routine update to a legitimate software product for which updates are frequently available.

Follow Michael Cooney on Twitter: nwwlayer8 and on Facebook

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Michael Cooney

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts