The Federal Trade Commission announced that it has filed a complaint against Wyndham Worldwide Corporation and three of its subsidiaries “for alleged data security failures that led to three data breaches at Wyndham hotels in less than two years.”
The FTC alleges that these failures led to fraudulent charges on consumers’ accounts, millions of dollars in fraud loss, and the export of hundreds of thousands of consumers’ payment card account information to an Internet domain address registered in Russia. […]
According to the FTC’s complaint, the repeated security failures exposed consumers’ personal data to unauthorized access. Wyndham and its subsidiaries failed to take security measures such as complex user IDs and passwords, firewalls and network segmentation between the hotels and the corporate network, the agency alleged. In addition, the defendants allowed improper software configurations which resulted in the storage of sensitive payment card information in clear readable text. […]
Ultimately, the breach led to the compromise of more than 500,000 payment card accounts, and the export hundreds of thousands of consumers’ payment card account numbers to a domain registered in Russia.
Even after faulty security led to one breach, the FTC charged, Wyndham still failed to remedy known security vulnerabilities; failed to employ reasonable measures to detect unauthorized access; and failed to follow proper incident response procedures. As a result, Wyndham’s security was breached two more times in less than two years. […]
The defendants in the case are: Wyndham Worldwide Corporation; its subsidiary, Wyndham Hotel Group, LLC, which franchises and manages approximately 7,000 hotels; and two subsidiaries of Wyndham Hotel Group – Wyndham Hotels and Resorts, LLC and Wyndham Hotel Management, Inc.