DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Wyndham caves, settles charges with FTC (updated)

Posted on December 9, 2015 by Dissent

I did not see this coming.  Wyndham has settled FTC charges, bringing an end to a closely watched court case involving FTC’s authority to enforce data security. The case was the first one that hadn’t resulted in a consent order. Today’s settlement leaves only the LabMD as a challenge to FTC’s authority to enforce data security, although the Wyndham and LabMD cases raise slightly different issues and the LabMD case is still an administrative proceeding at this point.

The FTC’s press release:

Wyndham Hotels and Resorts has agreed to settle FTC charges that the company’s security practices unfairly exposed the payment card information of hundreds of thousands of consumers to hackers in three separate data breaches.

Under the terms of the settlement, the company will establish a comprehensive information security program designed to protect cardholder data – including payment card numbers, names and expiration dates.  In addition, the company is required to conduct annual information security audits and maintain safeguards in connections to its franchisees’ servers.

“This settlement marks the end of a significant case in the FTC’s efforts to protect consumers from the harm caused by unreasonable data security,” said FTC Chairwoman Edith Ramirez. “Not only will it provide important protection to consumers, but the court rulings in the case have affirmed the vital role the FTC plays in this important area.”

The proposed stipulated federal court order requires Wyndham Hotels and Resorts to obtain annual security audits of its information security program that conform to the Payment Card Industry Data Security Standard for certification of a company’s security program.  In addition, the order requires Wyndham’s audit to:

  • certify the “untrusted” status of franchisee networks, to prevent future hackers from using the same method used in the company’s prior breaches;
  • certify the extent of compliance with a formal risk assessment process that will analyze the possible data security risks faced by the company; and
  • certify that the auditor is qualified, independent and free from conflicts of interest.

The order also requires that in the event Wyndham suffers another data breach affecting more than 10,000 payment card numbers, they must obtain an assessment of the breach and provide that assessment to the FTC within 10 days.

The order provides that if Wyndham successfully obtains the necessary compliance certifications, it will be deemed in compliance with the comprehensive information security program provision of the order. That provision is not effective, however, in the event that Wyndham in any way misleads or provides false information during the annual audit and assessment process.

Wyndham’s obligations under the settlement are in place for 20 years.

The Commission vote approving the proposed stipulated order was 4-0. The FTC filed the proposed stipulated order in the U.S. District Court for the District of New Jersey.

NOTE: Stipulated orders have the force of law when approved and signed by the District Court judge.

Wyndham’s Press Release:

Wyndham Worldwide Corporation (NYSE: WYN) today issued the following statement regarding its settlement with the Federal Trade Commission resulting from the FTC’s investigation of data breaches that occurred at some Wyndham Hotels and Resorts-brand hotel properties from 2008 to 2010.

“We are pleased to reach this settlement with the FTC, which does not hold Wyndham liable for any violations, nor require Wyndham to pay any monetary relief. We chose to defend against this litigation based on our strong belief that we have had reasonable data security in place, and that the FTC’s position could have had a negative impact on the franchise business model. This settlement resolves these issues, and sets a standard for what the government considers reasonable data security of payment card information. Safeguarding personal information remains a top priority for our company at a time when companies and government agencies are increasingly the targets of cyberattacks.”

Several years ago, Wyndham Hotels and Resorts, LLC was the victim of sophisticated cyberattacks by criminal hackers, who accessed customer information at certain Wyndham Hotels and Resorts-brand hotel properties. The Company promptly alerted law enforcement agencies, retained computer forensic experts, implemented significant security enhancements, and assisted franchised Wyndham Hotels and Resorts-brand hotels in reinforcing their information security. Wyndham also made prompt efforts to notify the hotel customers whose information may have been compromised, and offered them credit monitoring services. Importantly, to date Wyndham has not received any indication that any hotel customers experienced financial loss as a result of these attacks. The FTC conducted an investigation of this matter and Wyndham cooperated fully. Following are the key terms of the settlement between Wyndham and the FTC announced today:

Wyndham will not pay any monetary relief. The Company is granted a Safe Harbor if it continues to meet certain requirements for “reasonable information security” outlined in the FTC’s consent order. The consent order applies only to payment card information, and does not apply to any other categories of personally identifiable information. Payment Card Industry (“PCI”) certification will satisfy Wyndham’s reporting requirement and provide the basis for the Safe Harbor. The duration of Wyndham’s obligations under the consent order will in no event be longer than 20 years, and in several areas will be shorter.

Update: From the FTC’s site (the appendices relate to PCI standards):

[Proposed] Stipulated Order for Injunction (603.64 KB)
Appendix A to [Proposed] Stipulated Order for Injunction (17.32 MB)
Appendix B to [Proposed] Stipulated Order for Injunction (4.7 MB)
Category: Business SectorHackOf NoteU.S.

Post navigation

← TX: Woodland Heights employee investigated for stealing 450 patients’ info
Hackers Could Take Control Of Your Car, But You Can’t Sue Carmakers For That Risk →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon
  • US govt login portal could be one cyberattack away from collapse, say auditors
  • Two Men Sentenced to Prison for Aggravated Identity Theft and Computer Hacking Crimes
  • 100,000 UK taxpayer accounts hit in £47m phishing attack on HMRC
  • CISA Alert: Updated Guidance on Play Ransomware

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant
  • US State Dept. says silence or anonymity on social media is suspicious

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.