The Federal Trade Commission is suing a major hotel chain and its subsidiaries for allegedly failing to secure the financial information of its guests.
The complaint centres on the fact that New Jersey-based Wyndham Worldwide experienced three data breaches in less than three years and in each case, the intruders made off with financial information by breaching the company's Phoenix data centre.
The FTC alleges that Wyndham, which operates 7,200 hotels and 93,000 vacation properties worldwide, and its three subsidiaries - Wyndham Hotel Group, Wyndham Hotels and Resorts and Wyndham Hotel Management – ‘misrepresented the security measures that the company and its subsidiaries took to protect consumers' personal information and that its failure to safeguard personal information caused substantial consumer injury'.
The FTC also said that the ‘property management systems' of all Wyndham-branded hotels are managed by the defendants, and are connected to the corporate network.
In the first breach, which occurred in April 2008, the hackers gained an initial foothold onto a Phoenix Wyndham hotel's network. Then the attackers pivoted to one of the subsidiary's corporate networks, which granted them access to the property management servers belonging to 41 other Wyndham properties.
In total, the thieves compromised half a million credit card accounts, shipping many of those numbers, which were being stored in clear text, off to a hacker-owned server in Russia.
The following year, vandals used a similar method to latch on to one of the subsidiary's networks, where they installed ‘memory-scraping' malware to steal another 50,000 card numbers from 39 hotels. In 2010, Wyndham announced another breach involving 28 hotels and 69,000 accounts, where the data was moved off-site between late October 2009 and January 2010 when the incident was discovered. Wyndham said that it became aware of the incident after guests reported that their cards had been stolen and used fraudulently after staying at one of the hotels.
The FTC is seeking unspecified relief for incidents which it said resulted in $10.6 million in phony card charges and other expenses.
“Consumers and businesses suffered financial injury, including, but not limited to, unreimbursed fraudulent charges, increased costs and lost access to funds or credit,” the lawsuit said.
“Consumers and businesses also expended time and money resolving fraudulent charges and mitigating subsequent harm.”
Michael Valentino, a Wyndham spokesman, told SC Magazine US that the company has yet to learn of any fraud that resulted from the breaches. He said he was surprised to learn of the lawsuit.
“We regret the FTC's recent decision to pursue litigation, as we have fully cooperated in its investigation and believe its claims are without merit. We intend to defend against the FTC's claims vigorously, and do not believe the outcome of this litigation will have a material adverse effect on our company,” he said.