When you go on vacation, the last thing you want to do is be hassled with a credit card problem because someone at your hotel screwed up. But, according to the Federal Trade Commission (FTC), that’s what’s happened to a lot of folks who stayed at Wyndham Hotels.
The FTC has filed suit against global hospitality company Wyndham Worldwide Corporation and three of its subsidiaries for alleged data security failures that led to three data breaches at Wyndham hotels in less than two years.
According to the agency, these failures led to fraudulent charges on consumers’ accounts, millions of dollars in fraud loss and the export of hundreds of thousands of consumers’ payment card account information to an Internet domain address registered in Russia.
Whether this will hurt Wyndham's standing with its customers remains to be seen. ConsumerAffairs conducted a computerized sentiment analysis of about 150,000 postings on social media over the last year and found a distinct dip consumers' perceptions of Wyndham during May and June.
The lodging and entertainment chain went from a 79% positive sentiment in January to just 39% by June.
Privacy shortcomings were by far the most frequent negative sentiments displayed by consumers during the year.
Wyndham and its subsidiaries license the Wyndham name to approximately 90 independently-owned hotels, under franchise and management agreements.
Since 2008 Wyndham has claimed, on its Wyndham Hotels and Resorts subsidiary’s Website that, “We recognize the importance of protecting the privacy of individual-specific (personally identifiable) information collected about guests, callers to our central reservation centers, visitors to our Web sites, and members participating in our Loyalty Program …”
According to the FTC’s complaint, the repeated security failures exposed consumers’ personal data to unauthorized access. Wyndham and its subsidiaries failed to take security measures such as complex user IDs and passwords, firewalls and network segmentation between the hotels and the corporate network, the agency alleged. In addition, the defendants allowed improper software configurations that resulted in the storage of sensitive payment card information in clear readable text.
Each Wyndham-branded hotel has its own property management computer system that handles payment card transactions and stores information on such things as payment card account numbers, expiration dates, and security codes. According to the FTC, in the first breach in April 2008, intruders gained access to a Phoenix, Arizona Wyndham-branded hotel's local computer network that was connected to the Internet and the corporate network of Wyndham Hotels and Resorts.
Because of Wyndham’s inadequate security procedures, the breach gave the intruders access to the corporate network of Wyndham’s Hotels and Resorts subsidiary, and the property management system servers of 41Wyndham-branded hotels. This access enabled the intruders to:
- install “memory-scraping” malware on numerous Wyndham-branded hotels' property management system servers.
- access files on Wyndham-branded hotels’ property management system servers that contained payment card account information for large numbers of consumers, which was improperly stored in clear readable text.
Ultimately, the breach led to the compromise of more than 500,000 payment card accounts, and the export hundreds of thousands of consumers’ payment card account numbers to a domain registered in Russia.
Even after faulty security led to one breach, the FTC charged, Wyndham still failed to remedy known security vulnerabilities; failed to employ reasonable measures to detect unauthorized access; and failed to follow proper incident response procedures. As a result, Wyndham’s security was breached two more times in less than two years.
In March 2009, intruders again gained unauthorized access to Wyndham Hotels and Resorts' network, using similar techniques as in the first breach. In addition to using memory-scraping malware, they reconfigured software at the Wyndham-branded hotels to obtain clear text files containing the payment card account numbers of guests.
In this second incident, the intruders were able to access information at 39 Wyndham-branded hotels for more than 50,000 consumer payment card accounts and use that information to make fraudulent charges using consumers’ accounts.
Later in 2009, intruders again installed memory-scraping malware and thereby compromised Wyndham Hotels and Resorts’ network and the property management system servers of 28 Wyndham-branded hotels.
As a result of this third incident, the intruders were able to access information for approximately 69,000 consumer payment card accounts and again make fraudulent purchases on those accounts.
The defendants in the case are: Wyndham Worldwide Corporation; its subsidiary, Wyndham Hotel Group, LLC, which franchises and manages approximately 7,000 hotels; and two subsidiaries of Wyndham Hotel Group – Wyndham Hotels and Resorts, LLC and Wyndham Hotel Management, Inc.