FTC Sues Wyndham Hotels Over Data Breaches

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

The Federal Trade Commission has filed a lawsuit against Wyndham Worldwide Corporation and three of its subsidiaries for cyber security failures that led to a series of data breaches in 2008 and 2009.

"In its complaint, the FTC said fraudulent charges on consumer accounts totaled more than $10.6 million following three data breaches in less than two years," Reuters reports.

"The first breach, in April 2008, affected more than 500,000 credit card accounts and resulted in hundreds of thousands of account numbers and related data to be transferred to an Internet domain registered in Russia," writes The New York Times' Edward Wyatt. "Two more breaches occurred in 2009, the F.T.C. said, each giving the intruders access to 50,000 or more consumer card accounts. The data was then used to make fraudulent charges on the consumers’ accounts."

"The commission claims that those breaches are a result of Wyndham’s failure to properly use complex passwords, a network setup that didn’t properly separate corporate and hotels systems, and 'improper software configurations' that led to sensitive payment card information being stored without encryption," writes Forbes' Andy Greenberg. "The FTC contrasts that lack of protection with Wyndham’s privacy policy statements that claim to 'recognize the importance of protecting the privacy of individual-specific (personally identifiable) information collected about guests, callers to our central reservation centers, visitors to our Web sites, and members participating in our Loyalty Programs,' and promise the use of strong encryption and firewalls."