FTC Sues Wyndham Hotels Over Repeated Data Breaches
The FTC alleges the Wyndham failed to protect its customers against the theft of their credit card information.
CREDIT: Wyndham Hotels and Resorts
The U.S. Federal Trade Commission has filed a lawsuit against Wyndham Worldwide Corp., alleging that the global hotel chain unnecessarily exposed customers' credit card data and other personal information to theft and unauthorized access. The complaint cites three separate data breaches against which Wyndham failed to protect its customers.
The defendants in the case are: Wyndham Worldwide Corp.; its subsidiary, Wyndham Hotel Group LLC, which franchises and manages approximately 7,000 hotels; and two subsidiaries of Wyndham Hotel Group — Wyndham Hotels and Resorts LLC and Wyndham Hotel Management Inc.
According to the FTC lawsuit, cybercrooks first infiltrated the network of a Phoenix, Ariz., Wyndham-branded hotel, allowing them to compromise more than 500,000 payment card accounts and export hundreds of thousands of card account numbers to a domain registered in Russia.
This first data breach, in 2008, was followed by another in March 2009, when hackers siphoned clear text files containing the payment card information from more than 50,000 guests at 39 Wyndham-branded hotels. Again in 2009, another 28 Wyndham hotel servers were breached, leading to the breach of about 69,000 customers.
The criminals, believed to be the same in all three incidents, used the stolen financial data to make at least $10.6 million in fraudulent purchases.
In all cases, the FTC says Wyndham stored customers' credit card data in plain text, used default user IDs and passwords, did not deploy firewalls, allowed easy-to-guess passwords and did not conduct security investigations or protect its computers from malware.
"The lack of action after repeatedly being compromised is truly unacceptable behavior and without the oversight of agencies like the FTC, consumers are left unaware of the risk they are exposed to," Chet Wisniewski from the security firm Sophos wrote in a blog.
The suit is pending in federal court in Arizona.