On June 26, 2012 FTC filed suit against Wyndham Worldwide Corporation and three of its subsidiaries for alleged data security failures. The FTC alleges that such security failures led to three data breaches at Wyndham hotels in less than two years.
The complaint alleges these breaches resulted in fraudulent charges on consumers' accounts, millions of dollars in loss from fraud, and the loss of hundreds of thousands of consumers' credit card information to an Internet domain address based in Russia. The FTC also charges that Wyndham's privacy policy misrepresented the security measures used by the company and its subsidiaries to protect consumers' personal information and this failure led to serious consumer injury. Wyndham's security practices were charged as unfair, deceptive, and in violation of the FTC Act.
According to the FTC, Wyndham and its subsidiaries failed to take adequate security measures - such as the employment of complex user IDs and passwords, firewalls, and network segmentation between the hotels and corporate network. Additionally, the defendants used improper software configurations that resulted in the storage of sensitive payment card information in easily readable text.
Because of Wyndham's inadequate security procedures, the breach gave the intruders access to the corporate network of Wyndham's Hotels and Resorts subsidiary, and the property management system servers of 41 Wyndham-branded hotels. This access enabled the intruders to: 1) install "memory-scraping" malware on numerous Wyndham-branded hotels' property management system servers; and 2) access files on Wyndham-branded hotels' property management system servers that contained payment card account information for large numbers of consumers, which was improperly stored in clear readable text. In total, the breach led to the compromise of more than 500,000 payment card accounts.
Even after the first breach of consumer data in 2008, the FTC alleges Wyndham failed to remedy security vulnerabilities, failed to employ reasonable measures to detect unauthorized access, and failed to follow proper incident response procedures. The complaint alleges that Wyndham's decision to not improve its security led to two more breaches within two years of the first breach.
This case serves as an important reminder that businesses need to ensure there are proper safeguards in place to protect online information. For more information on our privacy practice click here.