Celebrating Five Years Online!
Malware Snuck Into Both Apple and Google App Stores

FTC Sues Wyndham Worldwide For Misrepresenting Its Data Security

Late last month, the U.S. Federal Trade Commission (FTC) filed a lawsuit against Wyndham Worldwide Corporation, the Parsippany, New Jersey-based international hotel conglomerate, for alleged data security failures that resulted in three data breaches at Wyndham hotels in less than two years. The suit (Adobe PDF) alleged that:

"Defendants’ failure to maintain reasonable security allowed intruders to obtain unauthorized access to the computer networks of Wyndham Hotels and Resorts, LLC, and several hotels franchised and managed by Defendants on three separate occasions in less than two years. Defendants’ security failures led to fraudulent charges on consumers’ accounts, more than $10.6 million in fraud loss, and the export of hundreds of thousands of consumers’ payment card account information to a domain registered in Russia. In all three security breaches, hackers accessed sensitive consumer data by compromising Defendants’ Phoenix, Arizona data center."

Specifically, the suit alleged that Wyndham's website privacy policy misrepresented the data security measures the company used to protect consumers' sensitive personal and payment information. The suit alleged that the hotel's data security:

"... failed to use readily available security measures to limit access between and among the Wyndham-branded hotels’ property management systems, the Hotels and Resorts’ corporate network, and the Internet, such as by employing firewalls... allowed software at the Wyndham-branded hotels to be configured inappropriately, resulting in the storage of payment card information in clear readable text... failed to remedy known security vulnerabilities on Wyndham branded hotels’ servers that were connected to Hotels and Resorts’ computer network, thereby putting personal information held by Defendants and the other Wyndham branded hotels at risk. For example, Defendants permitted Wyndham-branded hotels to connect insecure servers to the Hotels and Resorts’ network, including servers using outdated operating systems that could not receive security updates or patches... allowed servers to connect to Hotels and Resorts’ network, despite the fact that well-known default user IDs and passwords were enabled on the servers, which were easily available to hackers through simple Internet searches... failed to employ commonly-used methods to require user IDs and passwords that are difficult for hackers to guess. Defendants did not require the use of complex passwords for access to the Wyndham-branded hotels’ property management systems..."

This is pretty damning, since sensitive information that should have been encrypted wasn't, passwords were too easy to guess, and obsolete web server software prevented data security updates. The suit, filed in U.S. District Court in Arizona, named as defendants both Wyndham Worldwide and three of its subsidiaries:

It is good to see the FTC take these types of actions, especially because consumers have no way to verify that companies comply with the promises in their data security and privacy policies.


Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.