Credit Lawsuit News
June 28, 2012
FTC Lawsuit Alleges Wyndham Failed to Protect Customer Data All Three Times
Consumer protection agency FTC is going after hotel operator Wyndham Worldwide for not doing enough to protect customer financial data.
The U.S. Federal Trade Commission has filed a lawsuit against mega-hotel Wyndham Worldwide and three of its subsidiaries for failing to protect consumer data, the regulatory body said Tuesday. The hotel chain suffered three breaches in 2008 and 2009, and hundreds of thousands of customer's payment card information was transferred to an Internet domain registered in Russia, according to the FTC release.
The lawsuit alleges Wyndham failed to take appropriate security measures to protect customer data. Wyndham supposedly stored payment card information such as credit card numbers, security codes, and expiration dates, in clear text, according to the FTC. Attackers used similar techniques and memory-scraping malware in each of the incidents, according to the lawsuit.
The lack of action after “repeatedly being compromised is truly unacceptable behavior,” Chester Wisniewski, senior security advisor at Sophos Canada, wrote on Naked Security. While a “hack-proof network” may not be possible, organizations should be taking “reasonable safeguards” to ensure criminals can't just walk in and take the data. “It isn't rocket science, folks,” he wrote.
Be Prepared
Organizations have to accept that if attackers want to get into their networks, they will. Instead, the priority needs to be on detecting a breach when it happens, and being prepared to respond rapidly to minimize damage, Mike Reagan, chief marketing officer of LogRhythm, told Security Watch.
The company and its subsidiaries failed to take other security measures such as mandating complex user IDs and passwords, firewalls, and segmenting the network, the FTC said. Attackers were able to jump from a local hotel network to the company's property management network in all three incidents.
Lawsuit Details
Filed in the U.S. District Court for the District of Arizona because all three breaches involved the data center in Phoenix, the FTC lawsuit seeks to order Wyndham to stop deceiving customers about its information security practices in its privacy policy. The FTC also wants Wyndham to refund lost money to customers.
The three malware attacks resulted in $10.6 million in phony credit card charges and other expenses, the agency said.
Wyndham Worldwide, along with its subsidiaries Wyndham Hotel Group, Wyndham Hotels and Resorts, and Wyndham Hotel Management, "misrepresented the security measures that the company and its subsidiaries took to protect consumers' personal information and that its failure to safeguard personal information caused substantial consumer injury," the FTC said.
Wyndham said customers were promptly notified after the data breaches and that the company had improved its information security devices. "To date, we have not received any indication that any hotel customer experienced a financial loss as a result of these attacks," the company said in a statement. The hotel chain also includes Ramada, Super 8, Days Inn, and Howard Johnson.
"Consumers and businesses suffered financial injury, including, but not limited to, unreimbursed fraudulent charges, increased costs, and lost access to funds or credit," the FTC said in its lawsuit, adding, "Consumers and businesses also expended time and money resolving fraudulent charges and mitigating subsequent harm."
Michael Weston provides Debt Lawsuit Defense in all cities of Arizona, USA including:
602.635.6835
866-579-6411
Email
