Loading ...
Sorry, an error occurred while loading the content.

ISPLA News-FTC files complaint for large data breach

Expand Messages
  • Peter Psarouthakis
    FTC Files Complaint Against Wyndham Hotels For Failure to Protect Consumers Personal Information - Credit Card Data of Hundreds of Thousands of Consumers
    Message 1 of 1 , Jun 30, 2012
    • 0 Attachment
      FTC Files Complaint Against Wyndham Hotels For Failure to Protect Consumers'
      Personal Information - Credit Card Data of Hundreds of Thousands of
      Consumers Compromised, Millions of Dollars Lost to Fraud.The Federal Trade
      Commission filed suit against global hospitality company Wyndham Worldwide
      Corporation and three of its subsidiaries for alleged data security failures
      that led to three data breaches at Wyndham hotels in less than two years.
      The FTC alleges that these failures led to fraudulent charges on consumers'
      accounts, millions of dollars in fraud loss, and the export of hundreds of
      thousands of consumers' payment card account information to an Internet
      domain address registered in Russia.

      The case against Wyndham is part of the FTC's ongoing efforts to make sure
      <http://www.ftc.gov/opa/reporter/privacy/privacypromises.shtml> that
      companies live up to the promises they make about privacy and data security.

      In its complaint, the FTC alleges that Wyndham
      <http://www.ftc.gov/os/caselist/1023142/120626wyndamhotelscmpt.pdf> 's
      privacy policy misrepresented the security measures that the company and its
      subsidiaries took to protect consumers' personal information, and that its
      failure to safeguard personal information caused substantial consumer
      injury. The agency charged that the security practices were unfair and
      deceptive and violated the FTC Act.

      Wyndham and its subsidiaries license the Wyndham name to approximately 90
      independently-owned hotels, under franchise and management agreements.

      Since 2008 Wyndham has claimed, on its Wyndham Hotels and Resorts
      subsidiary's website that, "We recognize the importance of protecting the
      privacy of individual-specific (personally identifiable) information
      collected about guests, callers to our central reservation centers, visitors
      to our Web sites, and members participating in our Loyalty Program ."

      According to the FTC's complaint, the repeated security failures exposed
      consumers' personal data to unauthorized access. Wyndham and its
      subsidiaries failed to take security measures such as complex user IDs and
      passwords, firewalls and network segmentation between the hotels and the
      corporate network, the agency alleged. In addition, the defendants allowed
      improper software configurations which resulted in the storage of sensitive
      payment card information in clear readable text.

      Each Wyndham-branded hotel has its own property management computer system
      that handles payment card transactions and stores information on such things
      as payment card account numbers, expiration dates, and security codes.
      According to the FTC, in the first breach in April 2008, intruders gained
      access to a Phoenix, Arizona Wyndham-branded hotel's local computer network
      that was connected to the Internet and the corporate network of Wyndham
      Hotels and Resorts.

      Because of Wyndham's inadequate security procedures, the breach gave the
      intruders access to the corporate network of Wyndham's Hotels and Resorts
      subsidiary, and the property management system servers of 41Wyndham-branded
      hotels. This access enabled the intruders to:

      * install "memory-scraping" malware on numerous Wyndham-branded
      hotels' property management system servers.
      * access files on Wyndham-branded hotels' property management system
      servers that contained payment card account information for large numbers of
      consumers, which was improperly stored in clear readable text.

      Ultimately, the breach led to the compromise of more than 500,000 payment
      card accounts, and the export hundreds of thousands of consumers' payment
      card account numbers to a domain registered in Russia.

      Even after faulty security led to one breach, the FTC charged, Wyndham still
      failed to remedy known security vulnerabilities; failed to employ reasonable
      measures to detect unauthorized access; and failed to follow proper incident
      response procedures. As a result, Wyndham's security was breached two more
      times in less than two years.

      * In March 2009, intruders again gained unauthorized access to Wyndham
      Hotels and Resorts' network, using similar techniques as in the first
      breach. In addition to using memory-scraping malware, they reconfigured
      software at the Wyndham-branded hotels to obtain clear text files containing
      the payment card account numbers of guests. In this second incident, the
      intruders were able to access information at 39 Wyndham-branded hotels for
      more than 50,000 consumer payment card accounts and use that information to
      make fraudulent charges using consumers' accounts.
      * Later in 2009, intruders again installed memory-scraping malware and
      thereby compromised Wyndham Hotels and Resorts' network and the property
      management system servers of 28 Wyndham-branded hotels. As a result of this
      third incident, the intruders were able to access information for
      approximately 69,000 consumer payment card accounts and again make
      fraudulent purchases on those accounts.

      The defendants in the case are: Wyndham Worldwide Corporation; its
      subsidiary, Wyndham Hotel Group, LLC, which franchises and manages
      approximately 7,000 hotels; and two subsidiaries of Wyndham Hotel Group -
      Wyndham Hotels and Resorts, LLC and Wyndham Hotel Management, Inc.

      The Commission vote to authorize staff to file the complaint was 5-0, with
      Commissioner J. Thomas Rosch concurring in the filing of the complaint, but
      dissenting from including Count II. The complaint was filed in the U.S.
      District Court for the District of Arizona.

      Bruce Hulme

      ISPLA Director of Government Affairs

      <http://www.ispla.org/> www.ISPLA.org

      Resource to the Profession, to Government, and to the Media

      [Non-text portions of this message have been removed]
    Your message has been successfully submitted and would be delivered to recipients shortly.