FTC Sues Wyndham Worldwide for Alleged Data-Security Failures

June 27, 2012

The Federal Trade Commission has filed a lawsuit against hotel and time-share company Wyndham Worldwide Corp. (WYN) and three of its subsidiaries, alleging data-security failures that led to three data breaches at Wyndham hotels in less than two years, according to an article from the Wall Street Journal.

In a lawsuit filed in Federal District Court in Arizona, the FTC said that Wyndham, which through its affiliates manages and franchises Ramada, Days Inn and Super 8 hotels, among others, often stored consumers’ credit card information in text files that were easily read by hackers, according to an article from The New York Times. Three times from April 2008 to January 2010, intruders gained access to the company’s computer systems, the agency said, and the company failed to take corrective measures after each of the first two breaches, the Times reports..

According to the New York Times article: The commission charged Wyndham, which says it cooperated with the investigation, with unfair and deceptive practices, violating Section 5 of the Federal Trade Commission Act. Wyndham claimed on its Web site that it protected the personal data of its customers, the FTC said.

The FTC does not have the authority to fine companies for violations of the FTC Act, except in certain circumstances. It asked the federal court for an injunction to prevent further violations and for relief “to redress injury to consumers,” including restitution for losses.

The FTC’s complaint claimed more than $10.6 million in fraud losses. Wyndham, however, said it knew of no customers who suffered a financial loss because of the incidents.

The first breach, in April 2008, affected more than 500,000 credit card accounts and resulted in the transfer of hundreds of thousands of account numbers and related data to an Internet domain registered in Russia.

Two more breaches occurred in 2009, the FTC said, each giving the intruders access to 50,000 or more consumer card accounts. The data was then used to make fraudulent charges on the consumers’ accounts.

In its complaint, the FTC alleges that Wyndham's privacy policy misrepresented the security measures that the company and its subsidiaries took to protect consumers' personal information, the Wall Street Journal reports. The complaint also claims that the company’s failure to safeguard personal information caused substantial harm to consumers. The agency charges that the security practices violated the FTC Act, which gives the FTC powers to prevent unfair or deceptive practices affecting commerce, the article says.

In a statement made to the New York Times, Wyndham Worldwide spokesman Michael Valentino said, “At the time of these incidents, we made prompt efforts to notify the hotel customers whose information may have been compromised and offered them credit monitoring services."

“To date, we have not received any indication that any hotel customer experienced a financial loss as a result of these attacks,” Mr. Valentino said in the New York Times article. “Since these events, we have made significant enhancements to our information security, and have assisted franchised and managed Wyndham Hotels and Resorts-brand hotels in enhancing their information security.”

He added: “We regret the FTC’s recent decision to pursue litigation, as we have fully cooperated in its investigation and believe its claims are without merit. We intend to defend against the FTC’s claims vigorously, and do not believe the outcome of this litigation will have a material adverse effect on our company.”

Strong lodging demand, especially among business travelers, has been a driver behind results from the operator of the Ramada, Howard Johnson and Days Inn hotel chains in recent quarters, according to the Wall Street Journal. In April, Wyndham said its first-quarter earnings fell 56 percent as costs tied to the company's debt refinancing efforts weakened results, masking a stronger-than-expected core profit.

Shares were up 5 cents at $50.81, the article states. The stock is up 34 percent so far this year.

With the advent of Internet of Things (IoT) technology and Industrial Internet of Things (IIoT), the cyber security practices are increasingly getting integrated with the physical security practices.

We will provide insight on NDAA Section 889 and how the act has evolved and impacted business, so that organizations can better mitigate risk and stay compliant.