FTC lodges complaint against Wyndham

The FTC's law enforcement action against hotel company Wyndham Worldwide Corporation and three of its subsidiaries alleges that a series of security breaches — three within two years — resulted in fraudulent charges, millions of dollars in fraud loss, and the export of hundreds of thousands of people's account information to an Internet domain address registered in Russia.  According to the lawsuit, a number of the defendants' practices, taken together, unreasonably and unnecessarily exposed consumers' personal data, including their credit or debit card numbers, to unauthorized access and theft.

You’ll want to review the FTC's complaint for details about the allegations, but what did the defendants do — and just as importantly, what did they fail to do — that the FTC says resulted in consumer injury?  Some background on how Wyndham does business helps to explain.  Wyndham and its subsidiaries license the Wyndham name to 90 or so independently-owned hotels.  Each Wyndham-branded hotel has its own computer system that handles credit and debit card transactions and stores information like account numbers, expiration dates, and security codes.  Those systems connect to the Internet and to the corporate network of Wyndham Hotels and Resorts, a Wyndham subsidiary.

According to the complaint, the defendants stored payment card information in readable text, used default user IDs and passwords, allowed easy-to-guess passwords, failed to employ firewalls, failed to use reasonable measures to prevent and detect unauthorized network access, failed to conduct security investigations, and failed to monitor computers for malware used in an earlier intrusion.

Because of the defendants’ inadequate security procedures, the FTC says that intruders were able to breach the system repeatedly.  In the first breach in April 2008, the intruders gained access to the local network of a Wyndham-branded hotel in Phoenix.  That, in turn, allowed them to get into the network of Wyndham Hotels and Resorts and the local computers of 41 Wyndham-branded hotels.  Once in, they installed “memory-scraping” malware on the hotels’ servers and opened files that stored account information in clear readable text.  Ultimately, the breach led to the compromise of more than 500,000 accounts and the export of account numbers to the Russian-registered domain.

But wait:  There’s more.  According to the complaint, even after faulty security led to one breach, in March 2009 intruders used similar techniques to gain access to the Wyndham Hotels and Resorts' network.  In addition to using memory-scraping malware, they reconfigured software to get clear text files containing guests’ credit and debit card numbers.  This time, the intruders grabbed more than 50,000 accounts from 39 Wyndham-branded hotels and used the numbers to make fraudulent charges.

Just a few months later, intruders hit again, and again used memory-scraping malware to compromise the Wyndham Hotels and Resorts’ network and the servers of 28 Wyndham-branded hotels.  The upshot:  the theft of 69,000 account numbers and more fraudulent charges.

All the time this was going on, Wyndham’s privacy policy said, “We recognize the importance of protecting the privacy of individual-specific (personally identifiable) information collected about guests, callers to our central reservation, centers, visitors to our Web sites, and members participating in our Loyalty Program . . . .”  While acknowledging that “guaranteed security does not exist,” the company promised to “safeguard our Customers’ personally identifiable information by using standard industry practices” and to “take commercially reasonable efforts to create and maintain ‘fire walls’ and other appropriate safeguards” to protect people’s information.

According to the FTC, through those statements and others, the Defendants represented, expressly or by implication, that they used reasonable and appropriate measures to protect personal information against unauthorized access.  Count 1 of the FTC’s complaint alleges that those claims were false and misleading.  Count 2 alleges that the defendants’ failure to employ reasonable and appropriate measures amounted to unfair practices under the FTC Act.

The lawsuit is pending in federal court in Arizona.

 

3 Comments

>> Leave a Comment | Comment Policy

I use Wyndham motel snd some resort quite a bit.

What recourse do I have.
I use 3 cards of which one
is a Wyndhan card.

The FTC's case was just filed, so there's no news yet on that front. But the FTC has some suggestions for anyone whose information may have been compromised in a data breach.

The first step is to read each line of your credit card statement carefully with an eye peeled for unauthorized charges. A telltale sign of ID theft would be charges you didn't authorize or bills showing up for purchases you didn't make. In addition, periodically check your credit report by exercising your right to free reports at www.annualcreditreport.com.

If at some point you think you may be the victim of identity theft, the FTC has free resources available at www.ftc.gov/idtheft that outline the steps you should take. One key step is to follow the link on that page that says FILE A COMPLAINT. If you think your identity has been stolen, it's important that you let us know.

By the way, next week we'll be featuring a post here on the BCP Business Center explaining more about those new resources for people fighting back against ID theft. I hope the information will be helpful.

Thank you for bringing more accountability to badly run businesses.

Leave A Comment

Don't use this blog to report fraud or deceptive practices. To file a complaint with the Federal Trade Commission, please use the FTC Complaint Assistant.

PRIVACY ACT STATEMENT: It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act and the Federal Information Security Management Act authorize this information collection for purposes of managing online comments. Comments and user names are part of our public records system, and user names are also part of our computer user records system. We may routinely use these records as described in our Privacy Act system notices. For more information on how we handle information that we collect, please read our privacy policy.