Sophos Cloud Optix
In what appears to be a landmark case, the United States Federal Trade Commission has filed a complaint against hotel and property management firm Wyndham Worldwide, Wyndham Hotel Group, Wyndham Hotels and Resorts and Wyndham Hotel Management.
What makes it interesting is that the FTC alleges Wyndham unreasonably and unnecessarily exposed consumers’ personal data, including their credit or debit card numbers, to unauthorized access or theft.
Over the course of two years Wyndham was compromised at least three times resulting in credit cards and personally identifiable information being stolen and shipped off to criminals based in Russia.
The FTC states that this resulted in at least $10.6 million in fraudulent charges and the theft of hundreds of thousands of its customers’ information.
The specifics of the complaint are quite damning. The suit alleges Wyndham stored customer credit card data in plain text, used default user IDs and passwords, allowed easy to guess passwords, failed to deploy firewalls, failed to detect and prevent unauthorized access, failed to conduct security investigations and failed to properly protect its computers from malware.
The malware used by the criminals had the ability to scrape memory for credit card data, although that appears to have been unnecessary considering the card data was stored in unprotected form. I wrote about hospitality organizations being targeted with card thieving malware just last November.
The FTC says that after the first attack Wyndham failed to prevent two subsequent identical attacks that appear to have been conducted by the same criminals.
The complaint points out that Wyndham’s privacy policy states:
"“We recognize the importance of protecting the privacy of individual-specific (personally identifiable) information collected about guests, callers to our central reservation, centers, visitors to our Web sites, and members participating in our Loyalty Program . . . . [We] safeguard our Customers’ personally identifiable information by using standard industry practices” and “take commercially reasonable efforts to create and maintain ‘fire walls’ and other appropriate safeguards”.
Count one of the FTC’s suit alleges that these claims are false or misleading and count two alleges that its failure to meet those obligations amounts to unfair practices under the FTC Act.
While it is a terrible thing that Wyndham was attacked by these thugs and even worse for the victims of the resulting fraud, I was extremely pleased to see this announcement. It is time for organizations to not just talk the talk of data security, but walk the walk.
The lack of action after repeatedly being compromised is truly unacceptable behavior and without the oversight of agencies like the FTC, consumers are left unaware of the risk they are exposed to.
It may be impossible to create a hack-proof network, but it is possible to take reasonable safeguards to ensure criminals can’t just walk in and take all of your data. Defense in depth is essential to securing networks and data.
Most of the technologies needed to mount an effective defense are easily obtained. It isn’t rocket science, folks.
Image of a walk sign courtesy of Shutterstock.
I hope more companies get fined/sued if they are found to be lax, negligent in safeguarding customer personal information. I had a cord blood storage company lose my personal information by having some nimwit tech transport unencrypted backup drives and laptop in his car to then have it stolen. My personal info was used to open up two AT&T wireless accounts and purchase two iPhones two months later.
So much of security is the mundane: ensuring all computers received patches/virus updates, ensuring all computers have non-default passwords, etc. Its vital but its non-sexy work and many companies/security people scrimp on the manpower needed for it.