FTC Sues Wyndham Worldwide for Alleged Data-Security Failures

June 27, 2012

The Federal Trade Commission has filed a lawsuit against hotel and time-share company Wyndham Worldwide Corp. (WYN) and three of its subsidiaries, alleging data-security failures that led to three data breaches at Wyndham hotels in less than two years, according to an article from the Wall Street Journal.

In a lawsuit filed in Federal District Court in Arizona, the FTC said that Wyndham, which through its affiliates manages and franchises Ramada, Days Inn and Super 8 hotels, among others, often stored consumers’ credit card information in text files that were easily read by hackers, according to an article from The New York Times. Three times from April 2008 to January 2010, intruders gained access to the company’s computer systems, the agency said, and the company failed to take corrective measures after each of the first two breaches, the Times reports..

According to the New York Times article: The commission charged Wyndham, which says it cooperated with the investigation, with unfair and deceptive practices, violating Section 5 of the Federal Trade Commission Act. Wyndham claimed on its Web site that it protected the personal data of its customers, the FTC said.

The FTC does not have the authority to fine companies for violations of the FTC Act, except in certain circumstances. It asked the federal court for an injunction to prevent further violations and for relief “to redress injury to consumers,” including restitution for losses.

The FTC’s complaint claimed more than $10.6 million in fraud losses. Wyndham, however, said it knew of no customers who suffered a financial loss because of the incidents.

The first breach, in April 2008, affected more than 500,000 credit card accounts and resulted in the transfer of hundreds of thousands of account numbers and related data to an Internet domain registered in Russia.

Two more breaches occurred in 2009, the FTC said, each giving the intruders access to 50,000 or more consumer card accounts. The data was then used to make fraudulent charges on the consumers’ accounts.

In its complaint, the FTC alleges that Wyndham's privacy policy misrepresented the security measures that the company and its subsidiaries took to protect consumers' personal information, the Wall Street Journal reports. The complaint also claims that the company’s failure to safeguard personal information caused substantial harm to consumers. The agency charges that the security practices violated the FTC Act, which gives the FTC powers to prevent unfair or deceptive practices affecting commerce, the article says.

In a statement made to the New York Times, Wyndham Worldwide spokesman Michael Valentino said, “At the time of these incidents, we made prompt efforts to notify the hotel customers whose information may have been compromised and offered them credit monitoring services."

“To date, we have not received any indication that any hotel customer experienced a financial loss as a result of these attacks,” Mr. Valentino said in the New York Times article. “Since these events, we have made significant enhancements to our information security, and have assisted franchised and managed Wyndham Hotels and Resorts-brand hotels in enhancing their information security.”

He added: “We regret the FTC’s recent decision to pursue litigation, as we have fully cooperated in its investigation and believe its claims are without merit. We intend to defend against the FTC’s claims vigorously, and do not believe the outcome of this litigation will have a material adverse effect on our company.”

Strong lodging demand, especially among business travelers, has been a driver behind results from the operator of the Ramada, Howard Johnson and Days Inn hotel chains in recent quarters, according to the Wall Street Journal. In April, Wyndham said its first-quarter earnings fell 56 percent as costs tied to the company's debt refinancing efforts weakened results, masking a stronger-than-expected core profit.

Shares were up 5 cents at $50.81, the article states. The stock is up 34 percent so far this year.

You must login or register in order to post a comment.

ON DEMAND: DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

ON DEMAND: The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.

Security Magazine

2020 November

This month, Security magazine brings you the Security 500 Report, Rankings and Thought Leader Profiles. How does your enterprise compare to others? Which security programs are leading the way? Also this month, we highlight how to plan, prepare for and build resilience to protests and other unplanned events, video surveillance tools for SMBs and more.

View More Create Account

FTC Sues Wyndham Worldwide for Alleged Data-Security Failures

Related Articles

Related Products

Related Events

Report Abusive Comment