US authorities have filed a lawsuit against Wyndham Worldwide, the holding company for Wyndham Hotels & Resorts, Group RCI and other lodging brands.
The US Federal Trade Commission (FTC) claims that Wyndham Worldwide and three subsidiaries failed to protect sensitive customer credit card data, allowing cyber thieves to rob consumers. The security breach is said to have led to the compromise of more than 500,000 payment card accounts, and the export of hundreds of thousands of consumers’ credit card account numbers to an internet domain address registered in Russia
The FTC claims that data security failures led to three data breaches at Wyndham hotels in less than two years, leading in turn to fraudulent charges on consumers’ accounts, millions of dollars in fraud loss, and the export of the credit card information.
The FTC says its case against Wyndham is part of ongoing efforts to make sure that companies live up to the promises they make about privacy and data security.
Wyndham, (spun off from Cendant Corporation in 2006) and its subsidiaries license the Wyndham name to approximately 90 independently owned hotels, under franchise and management agreements.
The FTC states that since 2008, Wyndham has claimed on its Wyndham Hotels and Resorts subsidiary’s website that; “We recognise the importance of protecting the privacy of individual-specific (personally identifiable) information collected about guests, callers to our central reservation centres, visitors to our Web sites, and members participating in our Loyalty Program …”
According to the FTC’s complaint, repeated security failures exposed consumers’ personal data to unauthorised access.
Wyndham and its subsidiaries failed to take security measures such as complex user IDs and passwords, firewalls and network segmentation between the hotels and the corporate network, the agency alleges. As well, the defendants are alleged to have allowed improper software configurations which resulted in the storage of sensitive payment card information in clear readable text.
The FTC said that each Wyndham-branded hotel runs its own property management computer system, handling payment card transactions and storing information on such things as payment card account numbers, expiration dates, and security codes.
According to the FTC, in the first breach in April 2008, intruders gained access to the local computer network of a Wyndham-branded hotel in Phoenix, Arizona that was connected to the Internet and the corporate network of Wyndham Hotels and Resorts.
“Because of Wyndham’s inadequate security procedures, the breach gave the intruders access to the corporate network of Wyndham’s Hotels and Resorts subsidiary, and the property management system servers of 41Wyndham-branded hotels,” the FTC said.
It claimed that this access enabled the intruders to:
- Install “memory-scraping” malware on numerous Wyndham-branded hotels’ property management system servers.
- Access files on Wyndham-branded hotels’ property management system servers that contained payment card account information for large numbers of consumers, which was improperly stored in clear readable text.
Ultimately, the breach led to the compromise of more than 500,000 payment card accounts, and the export hundreds of thousands of consumers’ payment card account numbers to a domain registered in Russia.
Even after faulty security led to one breach, the FTC charged, Wyndham still failed to fix known security vulnerabilities; failed to employ reasonable measures to detect unauthorised access; and failed to follow proper incident response procedures. As a result, the FTC says Wyndham’s security was breached two more times in less than two years.
“In March 2009, intruders again gained unauthorised access to Wyndham Hotels and Resorts’ network, using similar techniques as in the first breach. In addition to using memory-scraping malware, they reconfigured software at the Wyndham-branded hotels to obtain clear text files containing the payment card account numbers of guests. In this second incident, the intruders were able to access information at 39 Wyndham-branded hotels for more than 50,000 consumer payment card accounts and use that information to make fraudulent charges using consumers’ accounts.
“Later in 2009, intruders again installed memory-scraping malware and thereby compromised Wyndham Hotels and Resorts’ network and the property management system servers of 28 Wyndham-branded hotels. As a result of this third incident, the intruders were able to access information for approximately 69,000 consumer payment card accounts and again make fraudulent purchases on those accounts.”
The defendants in the case are: Wyndham Worldwide Corporation; its subsidiary, Wyndham Hotel Group, LLC, which franchises and manages approximately 7000 hotels; and two subsidiaries of Wyndham Hotel Group – Wyndham Hotels and Resorts, LLC and Wyndham Hotel Management, Inc.
Commenting on the case, the respected travel tech site Tnooz said that the biggest loss could well turn out to be “the loss of consumer confidence that Wyndham – and the wider industry – might incur as a result of these breaches”.
Tnooz noted that in the case of Wyndham and many other targets of cyber attacks, weak login credentials in property management systems are “a key vector for data breaches”.
“Security is a chain that links almost every aspect of a business from the front desk to the senior staff,” Tnooz commented. “Any weakness in that chain means a possible compromise.
“What has happened at Wyndham should be taken as a serious wake up call to the travel industry. The security practices, or lack thereof, that resulted in the breaches at Wyndham could have happened to anyone.”
Written by : Peter Needham