FTC sues Wyndham Hotels after three credit card breaches
The Federal Trade Commission is suing a major hotel chain and its subsidiaries for allegedly failing to secure the financial information of its guests, which led to fraudulent charges of more than $10 million and the siphoning out of hundreds of thousands of credit card numbers.
The complaint (PDF), announced Tuesday, centers on the fact that New Jersey-based Wyndham Worldwide Corp. experienced three data breaches in under three years. In each case, the intruders made off with financial information by breaching the company's Phoenix data center.
The FTC alleges that Wyndham, which operates 7,200 hotels and 93,000 vacation properties worldwide, and its three subsidiaries -- Wyndham Hotel Group, Wyndham Hotels and Resorts, LLC, Wyndham Hotel Management -- "misrepresented the security measures that the company and its subsidiaries took to protect consumers' personal information and that its failure to safeguard personal information caused substantial consumer injury."
The "property management systems" of all Wyndham-branded hotels, according to the FTC, are managed by the defendants and are connected to the corporate network.
In the first breach, which occurred in April 2008, the hackers gained an initial foothold onto a Phoenix Wyndham hotel's network, the FTC said. Then, they pivoted to one of the subsidiary's corporate networks, which granted them access to the property management servers belonging to 41 other Wyndham properties.
In total, the thieves compromised a half-million credit card accounts, shipping many of those numbers -- which were being stored in clear text -- off to a hacker-owned server in Russia.
The following year, vandals used a similar method to latch on to one of the subsidiary's networks, where they installed "memory-scraping" malware to steal another 50,000 card numbers from 39 hotels. Then, in early 2010, Wyndham announced yet another breach involving 28 hotels and 69,000 accounts.
The FTC is seeking unspecified relief for incidents which it said resulted in $10.6 million in phony card charges and other expenses.
"Consumers and businesses suffered financial injury, including, but not limited to, unreimbursed fraudulent charges, increased costs, and lost access to funds or credit," the lawsuit said. "Consumers and businesses also expended time and money resolving fraudulent charges and mitigating subsequent harm."
Michael Valentino, a Wyndham spokesman, told SCMagazine.com via a statement on Tuesday that the company has yet to learn of any fraud that resulted from the breaches. He said he was surprised to learn of the lawsuit.
"We regret the FTC's recent decision to pursue litigation, as we have fully cooperated in its investigation and believe its claims are without merit," Valentino said. "We intend to defend against the FTC's claims vigorously, and do not believe the outcome of this litigation will have a material adverse effect on our company."
For several years, the hospitality industry has proven a rich target for cyber crime.