Wyndham Hotels breached, $10m stolen from guests

Powered by SC Magazine
 

US Federal Trade Commission alleges the hotel chain failed to implement basic security practices.

A major hotel chain and its subsidiaries have been sued for allegedly failing to secure the financial information of its guests which led to fraudulent charges of more than $US10 million and the theft of hundreds of thousands of credit card numbers.

The complaint centers on three data breaches in as many years. In each case, the intruders made off with financial information by breaching the company's data centre.

The Federal Trade Commission alleged that Wyndham, which operates 7200 hotels and 93,000 vacation properties worldwide, and its three subsidiaries -- Wyndham Hotel Group, Wyndham Hotels and Resorts, and Wyndham Hotel Management -- "misrepresented the security measures that the company and its subsidiaries took to protect consumers' personal information and that its failure to safeguard personal information caused substantial consumer injury."

The "property management systems" of all Wyndham-branded hotels, according to the FTC, were managed by the defendants and are connected to the corporate network.

In the first breach, which occurred in April 2008, the hackers gained an initial foothold onto a Phoenix Wyndham hotel's network, the FTC said.

Then, they pivoted to one of the subsidiary's corporate networks, which granted them access to the property management servers belonging to 41 other Wyndham properties.

In total, the thieves compromised a half-million credit card accounts, shipping many of those numbers -- which were being stored in clear text -- off to a hacker-owned server in Russia.

The following year, criminals used a similar method to latch on to one of the subsidiary's networks, where they installed "memory-scraping" malware to steal another 50,000 card numbers from 39 hotels. Then, in early 2010, Wyndham announced yet another breach involving 28 hotels and 69,000 accounts.

The FTC is seeking unspecified relief for incidents which it said resulted in $10.6 million in phony card charges and other expenses.

"Consumers and businesses suffered financial injury, including, but not limited to, unreimbursed fraudulent charges, increased costs, and lost access to funds or credit," the lawsuit said. "Consumers and businesses also expended time and money resolving fraudulent charges and mitigating subsequent harm."

Michael Valentino, a Wyndham spokesman, told SCMagazine.com via a statement on Tuesday that the company has yet to learn of any fraud that resulted from the breaches. He said he was surprised to learn of the lawsuit.

"We regret the FTC's recent decision to pursue litigation, as we have fully cooperated in its investigation and believe its claims are without merit," Valentino said. "We intend to defend against the FTC's claims vigorously, and do not believe the outcome of this litigation will have a material adverse effect on our company."

For several years, the hospitality industry has proven a rich target for cyber crime.

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition


Wyndham Hotels breached, $10m stolen from guests
 
 
 
Top Stories
Meet FABACUS, Westpac's first computer
GE225 operators celebrate gold anniversary.
 
NSW Govt gets ready to throw out the floppy disks
[Opinion] Dominic Perrottet says its time for government to catch up.
 
iiNet facing new copyright battle with Hollywood
Fighting to protect customer details.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  26%
 
Sourcing and strategy
  12%
 
IT infrastructure (servers, storage, networking)
  21%
 
End user computing (desktops, mobiles, apps)
  15%
 
Software development
  26%
TOTAL VOTES: 341

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  58%
 
No
  42%
TOTAL VOTES: 143

Vote