Hotel Giant Wants Data-Security Lawsuit Dropped
The FTC alleges the Wyndham failed to protect its customers against the theft of their credit card information.
CREDIT: Wyndham Hotels and Resorts
Wyndham Hotels and Resorts came under fire earlier this summer for not adequately protecting customer data, but now the company is fighting back.
In U.S. District Court in Phoenix last month, the hotel giant filed a motion to dismiss a June Federal Trade Commission complaint over a series of data breaches that began in 2008.
Wyndham's Aug. 27 filing accuses the FTC of having "neither the expertise nor the statutory authority to establish data security standards for the private sector" and of not providing prior guidance "of what data security protections a company must employ to be in compliance with the law."
Hackers lifted the details for a half-million credit cards, which were then sent to a server in Russia. The credit cards, many of which the FTC said were stored in plain text, were used to make $10.6 million in unauthorized purchases.
The data thefts occurred three times over an 18-month period and, according to the FTC, Wyndham took no action to prevent future incidents from happening after the first one occurred.
Wyndham "misrepresented the security measures that the company and its subsidiaries took to protect consumers' personal information and that its failure to safeguard personal information caused substantial consumer injury," the FTC alleged in its lawsuit.
In response to the suit, prompted by alleged violations of the FTC Act and seeking unspecified damages, Wyndham said they were being "singled out" in "unprecedented litigation."
While the litigation may be unprecedented — the FTC has gone after other major companies over data security but always settled — the regulatory agency pointed to a number of security transgressions, including storing credit card information in plain text, not employing firewalls, anti-virus or malware detection software, and using default user IDs and passwords.
Chester Wisniewski, a senior security adviser for Sophos, told SCMagazine.com that although network security guidelines may not be explicitly outlined by federal law, companies can be on the hook for big security lapses.