Wyndham Hotels challenges FTC security suit over breaches

Share this article:

Wyndham Hotels and Resorts has filed a motion in U.S. District Court in Phoenix to dismiss a complaint launched by the Federal Trade Commission (FTC) over the chain's repeated security breaches.

According to the FTC, the offenses began when Russian hackers breached Wyndham's Phoenix data center in 2008 and stole the financial information of customers, leading to two subsequent breaches in a two-year period.

The FTC filed a lawsuit against Wyndham in June, claiming that more than $10 million in fraudulent purchases were made with hundreds of thousands of credit card numbers belonging to customers.

In response, Parsippany, N.J.-based Wyndham moved to dismiss the complaint on Aug. 27, saying in its filing that the FTC “singled out” Wyndham in “unprecedented litigation.”

“Indeed, the FTC's approach to data security regulation in this very case only confirms that the commission has neither the expertise nor the statutory authority to establish data security standards for the private sector,” the motion said. “The FTC has not published any rules or regulations that might provide the business community with ex ante [beforehand] notice of what data security protections a company must employ to be in compliance with the law.”

The FTC has contended that Wyndham, which operates 7,200 hotels and 93,000 vacation properties worldwide, and its three subsidiaries -- Wyndham Hotel Group, Wyndham Hotels and Resorts, LLC, Wyndham Hotel Management -- "misrepresented the security measures that the company and its subsidiaries took to protect consumers' personal information and that its failure to safeguard personal information caused substantial consumer injury."

It sued the major hotel chain for alleged violations under the FTC Act.

Legal experts said this case may be the first time the FTC has ever had to litigate its data security allegations. In the past, it's settled with major companies, like Google and RockYou, over privacy violations and breaches.

On Tuesday, Chester Wisniewski, a senior security adviser at Sophos, told SCMagazine.com that federally mandated guidelines for data security may not exist in the United States, but that does not exempt companies from being held accountable for major missteps.

He said that if the FTC's claims against Wyndham were true, the hotel company was “definitely negligent.”

“There is no clearly defined legal standard, so what the FTC has to fall back on is industry standard best practices,” Wisniewski said. “For instance, we take different precautions when we are handling customers' personal information than when we are putting up a print server – something that clearly isn't sensitive.”

Share this article:

Sign up to our newsletters

More in News

Pentagon to triple its security workforce by 2016

Pentagon to triple its security workforce by 2016

Defense Secretary Chuck Hagel recently announced the recruitment efforts during a speech in Fort Meade, Md.

Tech manufacturer's online payment system breached

LaCie confirmed an unauthorized party used malware to access its online payment system for almost a year and could have stolen customer information.

The Heartbleed bug works, and could be a scapegoat for older breaches

The Heartbleed bug works, and could be a ...

Researchers proved the Heartbleed bug was real in a challenge issued by CloudFlare to prove private keys can be stolen, right around the time companies are claiming they were breached ...