DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

FTC Files Complaint Against Wyndham Hotels For Failure to Protect Consumers’ Personal Information

Posted on June 26, 2012 by Dissent

Woo hoo. I had such a headache trying to sort out Wyndham’s breaches (see previous blog entries on Wyndham) and was concerned that at least one state had removed their notification from public view on the state’s web site because Wyndham had asked that it be treated as confidential.  Now it seems the FTC has gone after them (complaint) and that Wyndham’s breaches allegedly affected over 500,000 customers.  From the FTC today:

The Federal Trade Commission filed suit against global hospitality company Wyndham Worldwide Corporation and three of its subsidiaries for alleged data security failures that led to three data breaches at Wyndham hotels in less than two years. The FTC alleges that these failures led to fraudulent charges on consumers’ accounts, millions of dollars in fraud loss, and the export of hundreds of thousands of consumers’ payment card account information to an Internet domain address registered in Russia.

The case against Wyndham is part of the FTC’s ongoing efforts to make sure that companies live up to the promises they make about privacy and data security.

In its complaint, the FTC alleges that Wyndham’s privacy policy misrepresented the security measures that the company and its subsidiaries took to protect consumers’ personal information, and that its failure to safeguard personal information caused substantial consumer injury.  The agency charged that the security practices were unfair and deceptive and violated the FTC Act.

Wyndham and its subsidiaries license the Wyndham name to approximately 90 independently-owned hotels, under franchise and management agreements.

Since 2008 Wyndham has claimed, on its Wyndham Hotels and Resorts subsidiary’s website that, “We recognize the importance of protecting the privacy of individual-specific (personally identifiable) information collected about guests, callers to our central reservation centers, visitors to our Web sites, and members participating in our Loyalty Program …”

According to the FTC’s complaint, the repeated security failures exposed consumers’ personal data to unauthorized access.  Wyndham and its subsidiaries failed to take security measures such as complex user IDs and passwords, firewalls and network segmentation between the hotels and the corporate network, the agency alleged.  In addition, the defendants allowed improper software configurations which resulted in the storage of sensitive payment card information in clear readable text.

Each Wyndham-branded hotel has its own property management computer system that handles payment card transactions and stores information on such things as payment card account numbers, expiration dates, and security codes.  According to the FTC, in the first breach in April 2008, intruders gained access to a Phoenix, Arizona Wyndham-branded hotel’s local computer network that was connected to the Internet and the corporate network of Wyndham Hotels and Resorts.

Because of Wyndham’s inadequate security procedures, the breach gave the intruders  access to the corporate network of Wyndham’s Hotels and Resorts subsidiary, and the property management system servers of 41 Wyndham-branded hotels.  This access enabled the intruders to:

  • install “memory-scraping” malware on numerous Wyndham-branded hotels’ property management system servers.
  • access files on Wyndham-branded hotels’ property management system servers that contained payment card account information for large numbers of consumers, which was improperly stored in clear readable text.

Ultimately, the breach led to the compromise of more than 500,000 payment card accounts, and the export (sic)  hundreds of thousands of consumers’ payment card account numbers to a domain registered in Russia.

Even after faulty security led to one breach, the FTC charged, Wyndham still failed to remedy known security vulnerabilities; failed to employ reasonable measures to detect unauthorized access; and failed to follow proper incident response procedures.  As a result, Wyndham’s security was breached two more times in less than two years.

  • In March 2009, intruders again gained unauthorized access to Wyndham Hotels and Resorts’ network, using similar techniques as in the first breach.  In addition to using memory-scraping malware, they reconfigured software at the Wyndham-branded hotels to obtain clear text files containing the payment card account numbers of guests.  In this second incident, the intruders were able to access information at 39 Wyndham-branded hotels for more than 50,000 consumer payment card accounts and use that information to make fraudulent charges using consumers’ accounts.
  • Later in 2009, intruders again installed memory-scraping malware and thereby compromised Wyndham Hotels and Resorts’ network and the property management system servers of 28 Wyndham-branded hotels.  As a result of this third incident, the intruders were able to access information for approximately 69,000 consumer payment card accounts and again make fraudulent purchases on those accounts.

The defendants in the case are:  Wyndham Worldwide Corporation; its subsidiary, Wyndham Hotel Group, LLC, which franchises and manages approximately 7,000 hotels; and two subsidiaries of Wyndham Hotel Group – Wyndham Hotels and Resorts, LLC and Wyndham Hotel Management, Inc.

The Commission vote to authorize staff to file the complaint was 5-0, with Commissioner J. Thomas Rosch concurring in the filing of the complaint, but dissenting from including Count II.  The complaint was filed in the U.S. District Court for the District of Arizona.

NOTE: The Commission authorizes the filing of a complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest.  The complaint is not a finding or ruling that the defendants have actually violated the law.

Category: Breach IncidentsBusiness SectorHackID TheftOf NoteU.S.

Post navigation

← Uganda Sites Attacked, Defaced By GSec
UK: Company linked to unsecured stolen laptop could run council offices →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Dutch Government: More forms of espionage to be a criminal offence from 15 May onwards
  • B.C. health authority faces class-action lawsuit over 2009 data breach (1)
  • Private Industry Notification: Silent Ransom Group Targeting Law Firms
  • Data Breach Lawsuits Against Chord Specialty Dental Partners Consolidated
  • PA: York County alerts residents of potential data breach
  • FTC Finalizes Order with GoDaddy over Data Security Failures
  • Hacker steals $223 million in Cetus Protocol cryptocurrency heist
  • Operation ENDGAME strikes again: the ransomware kill chain broken at its source
  • Mysterious Database of 184 Million Records Exposes Vast Array of Login Credentials
  • Mysterious hacking group Careto was run by the Spanish government, sources say

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Period Tracking App Users Win Class Status in Google, Meta Suit
  • AI: the Italian Supervisory Authority fines Luka, the U.S. company behind chatbot “Replika,” 5 Million €
  • D.C. Federal Court Rules Termination of Democrat PCLOB Members Is Unlawful
  • Meta may continue to train AI with user data, German court says
  • Widow of slain Saudi journalist can’t pursue surveillance claims against Israeli spyware firm
  • Researchers Scrape 2 Billion Discord Messages and Publish Them Online
  • GDPR is cracking: Brussels rewrites its prized privacy law

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.