Guests of Wyndham Hotels may have had their card details compromised following intervention by a hacker in late January.

In an open letter posted on its website senior vice president of enterprise compliance and employment counsel at Wyndham Worldwide, Kirsten Hotchkiss, said that it ‘discovered that a sophisticated hacker penetrated the computer systems of one of the Wyndham Hotels and Resorts (WHR) data centres over a three-month period'.

She confirmed that guest names and card numbers, expiration dates and other data from the card's magnetic stripe were compromised. However because only payment card information was compromised, at this time, she said she could not confirm the individuals whose card information may have been acquired, although no criminal identity theft related to the use of the consumer data had been identified at the time of posting.

She said: “By going through the centralised network connections, the hacker was able to access and download information from several, but not all, of the WHR hotels and remove payment card information of a small percentage of our WHR customers. The incident did not affect any of the other branded hotels in the Wyndham Hotel Group system.”

Wyndham said that the data was moved off-site between late October, 2009 and January 2010, when the incident was discovered. It said that it became aware of the incident after guests reported that their cards had been stolen and used fraudulently after staying at one of the WHR hotels.

It responded by shutting down the impacted server and terminating all traffic to the offsite URL. A PCI (Payment Card Industry) assessment firm has been retained to perform a forensic investigation of the incident, which includes a review of certain hotel property servers, while the Secret Service and payment card companies have been notified.

It said that the full investigation is expected to take more than eight weeks, and it is expected to identify those guests affected by the end of March. “Wyndham prides itself on providing exceptional value for our guests. We deeply regret this incident occurred and we will work hard to restore your confidence in our brand,” said Hotchkiss.

Commenting, Steve Moyle, co-founder and CTO at Secerno, said that this incident, and the response, creates more questions about how exactly this company is safeguarding all data and what rights (if any) customers have to knowledge of data theft affecting their accounts.

He said: “In its FAQs, the hotel states that guests who had stayed at a Wyndham hotel contacted the chain regarding fraudulent use of their cards. Based on this feedback, the hotel went back through its system and discovered the breach.

“In simple terms, the hotel was not aware of the breach until the data had been stolen and used fraudulently. It would seem that the next logical step that the chain would take would be to notify all of the owners of the compromised data, which the hotel has identified.

“What Wyndham did instead is to inform the Secret Service and to provide the card information to the credit card companies, advising them to watch for suspicious activity. Wyndham claims that it does not have the addresses of the affected individuals so it cannot contact them. It would seem that the hotel chain is shifting the burden to the card companies and doing only what is legally required.

“The people who suffer are the customers, who need to check their bills for fraudulent charges or hope that the card companies are checking for suspicious activity. It would seem that every customer should have the right to know immediately if his/her data has been stolen.

“As for the hotel's mention of hiring a PCI firm to check the revised security, the hotel could very well have been PCI compliant at the time of the breach. PCI does not equal safe data.”