If you stayed at a Wyndham hotel, check your mail, because you may be getting a letter from the chain telling you of a hack that occurred months ago.
In a letter to the New Hampshire Attorney General dated December 23, Wyndham Hotels and Resorts updated a notification sent to states attorney general back in early October about a breach involving their data center in Phoenix. The date of the breach and date of discovery were not indicated in the follow-up letter and the original notification to states attorney general is not currently available online.
In a letter to affected individuals, the chain writes:
As a result of unauthorized access to Wyndham systems, Wyndham has determined that your credit or debit card number, expiration date and possibly your name were compromised. Wyndham has taken numerous steps to protect your information since the discovery of this incident. In addition to terminating the unauthorized access, we revalidated our information security infrastructure to confirm that we maintain industry standard protections for customer data. In addition, we promptly notified law enforcement and each of the major payment card networks (American Express, Visa, MasterCard, and Discover). We also provided each of the payment card companies with the actual credit and debit card numbers that had been involved in the incident so that the payment card companies could take such action as they deemed appropriate to monitor the cards. We also notified the affected managed and franchised hotels so that they could take the appropriate action to ensure that their systems are properly investigated and secured.
In their notification to the states, Wyndham notes that “due to the nature of the breach, the names and addresses of the consumers were not readily available. Consequently, Wyndham contracted with a third party, Equifax, to provide a matching service for all current credit card numbers which we believe may have been compromised.”
Notification to those affected began on December 15, but because the matching process was not completed as of December 23, the company anticipated that it would still be sending out notifications “early in 2009.”
Wyndham did not indicate in its notification which hotels were affected or how many customers were affected. In its response to an inquiry, a spokesperson reported:
We are taking every step to ensure our guests’ information is protected and at the same time give them notice to watch their accounts. This affected a small number of guests at a small number of hotels.
Claiming confidentiality, the spokesperson declined to answer any further questions. A reliable source informs us that Wyndham has also tried to prevent its breach disclosure from being made publicly available on the web in at least one state’s breach list.
The chain is offering those affected one year of Equifax Credit Watch 3-in-1 Alerts and:
In addition, for a limited time we are offering a Preferred Customer Rate discount program for our customers who may have been impacted by this incident. You will receive a 20% discount on the room rate for any hotel stays with a Wyndham brand hotel when you make your reservations on or before March 31, 2009. To take advantage of this offer via telephone, you may call 1-800-WYNDHAM and ask for the PREFERRED GUEST RATE or ask for the rate for Corporate ID 43783670. To take advantage of the discount online, please visit www.wyndham.com. and select the property at which you want to stay. At that point, you should enter your travel details, click on Search using Corporate, Promo and Group codes, enter Corporate ID 43783670 and then search for rates.