Wyndham Hotels breached, $10m stolen from guests

By on
Wyndham Hotels breached, $10m stolen from guests

US Federal Trade Commission alleges the hotel chain failed to implement basic security practices.

A major hotel chain and its subsidiaries have been sued for allegedly failing to secure the financial information of its guests which led to fraudulent charges of more than $US10 million and the theft of hundreds of thousands of credit card numbers.

The complaint centers on three data breaches in as many years. In each case, the intruders made off with financial information by breaching the company's data centre.

The Federal Trade Commission alleged that Wyndham, which operates 7200 hotels and 93,000 vacation properties worldwide, and its three subsidiaries -- Wyndham Hotel Group, Wyndham Hotels and Resorts, and Wyndham Hotel Management -- "misrepresented the security measures that the company and its subsidiaries took to protect consumers' personal information and that its failure to safeguard personal information caused substantial consumer injury."

The "property management systems" of all Wyndham-branded hotels, according to the FTC, were managed by the defendants and are connected to the corporate network.

In the first breach, which occurred in April 2008, the hackers gained an initial foothold onto a Phoenix Wyndham hotel's network, the FTC said.

Then, they pivoted to one of the subsidiary's corporate networks, which granted them access to the property management servers belonging to 41 other Wyndham properties.

In total, the thieves compromised a half-million credit card accounts, shipping many of those numbers -- which were being stored in clear text -- off to a hacker-owned server in Russia.

The following year, criminals used a similar method to latch on to one of the subsidiary's networks, where they installed "memory-scraping" malware to steal another 50,000 card numbers from 39 hotels. Then, in early 2010, Wyndham announced yet another breach involving 28 hotels and 69,000 accounts.

The FTC is seeking unspecified relief for incidents which it said resulted in $10.6 million in phony card charges and other expenses.

"Consumers and businesses suffered financial injury, including, but not limited to, unreimbursed fraudulent charges, increased costs, and lost access to funds or credit," the lawsuit said. "Consumers and businesses also expended time and money resolving fraudulent charges and mitigating subsequent harm."

Michael Valentino, a Wyndham spokesman, told SCMagazine.com via a statement on Tuesday that the company has yet to learn of any fraud that resulted from the breaches. He said he was surprised to learn of the lawsuit.

"We regret the FTC's recent decision to pursue litigation, as we have fully cooperated in its investigation and believe its claims are without merit," Valentino said. "We intend to defend against the FTC's claims vigorously, and do not believe the outcome of this litigation will have a material adverse effect on our company."

For several years, the hospitality industry has proven a rich target for cyber crime.

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition
Tags:

Most Read Articles

You must be a registered member of iTnews to post a comment.
| Register

Poll

How should the costs of Australia's piracy scheme be split?
Rights holders should foot the whole bill
50/50
ISPs should foot the whole bill
Government should chip in a bit
Other
Flash is heading towards its grave, and that's...
Great! Good riddance
Sad! Flash had some good qualities
Irrelevant. I don't care
What's Flash?
View poll archive

Whitepapers from our sponsors

What will the stadium of the future look like?
What will the stadium of the future look like?
New technology adoption is pushing enterprise networks to breaking point
New technology adoption is pushing enterprise networks to breaking point
Gartner names IBM a 'Leader' for Disaster Recovery as a Service
Gartner names IBM a 'Leader' for Disaster Recovery as a Service
The next era of business continuity: Are you ready for an always-on world?
The next era of business continuity: Are you ready for an always-on world?

Log In

Username:
Password:
|  Forgot your password?