FTC Sues Hotel Chain for Card BreachesBanks Should be Concerned About Card Fraud, Phishing
The Federal Trade Commission has filed a suit against the hotel chain Wyndham Worldwide Corp. and three of its subsidiaries in connection with three security breaches that exposed stored card details for nearly 670,000 accounts.
The FTC claims in a June 26 statement that Wyndham's alleged security gaps allowed hackers to infiltrate the hotel chain's network on three separate occasions in less than two years and export card details. The exported data was traced to an Internet domain address registered in Russia.
Wyndham was contacted for reaction, and is expected to respond to the allegations.
"If the allegations by the FTC are true, this is a damning indictment of Wyndham's security, and its commitment to customer privacy and safety," says Neal O'Farrell, executive director of The Identity Theft Council, a grassroots ID theft protection agency that works with financial institutions and consumers to promote privacy and thwart incidents of ID theft. "I've seen small businesses with better security."
O'Farrell says the weak links are likely Wyndham's franchised locations, "where poor security standards can create easy opportunities for intruders." He adds: "Those weak links become a back door to the corporate network and a treasure trove of sensitive information. [It's] not surprising that the Trustwave 2012 Global Security Report found that nearly one third of all breach investigations were at franchised businesses."
What It Means for Card Issuers
John Buzzard, who monitors card fraud for FICO's Card Alert Service, says the breaches should compel banks and credit unions to implement actions to protect accountholders that go beyond card monitoring, such as warning consumers about the possibility for phishing attacks.
"This case involves egregious acts that occurred in the past, but I'm quite sure the stolen information is still being brokered over the Internet for phishing scams and account takeover scams," Buzzard says. "It seems as if we have arrived at a juncture where consumer PII is no longer pristine or trustworthy for authentication because the data just keeps getting compromised and the penalties seem so minor for the parties involved."
O'Farrell says financial institutions are the biggest victims in cases such as this.
"They often have to take the blame from their customers when they notify them of card cancellations, and they have to cover the losses, too," he says.
O'Farrell says the best thing card-issuing institutions can do is monitor for fraudulent activity that may have a Wyndham connection.
Monitoring accounts "doesn't prevent the fraud, but simply notifies you that it's occurred so you can respond and fix it," he says. "That's been the pattern of data breaches for years. Companies like Wyndham create the mess, leaving banks and customers to deal with the fallout and clean up the mess."
The Case Against Wyndham
Wyndham-branded hotels use property management computer systems that handle card transactions and store information, such as card account numbers, expiration dates and security codes, according to the FTC. The FTC alleges millions of dollars in fraud losses resulted from the three breaches, which are believed to have occurred in 2008 and 2009.
The case against Wyndham is part of the FTC's ongoing efforts to ensure organizations and businesses protect consumer privacy and data. In its complaint, the FTC alleges the security measures relied upon by Wyndham and its subsidiaries did not meet standards outlined in Wyndham's privacy policies for the protection of consumers' personal information.
The FTC has filed charges against Wyndham Worldwide Corp., the parent company; Wyndham Hotel Group LLC, which franchises and manages approximately 7,000 hotels; and two subsidiaries of Wyndham Hotel Group, Wyndham Hotels and Resorts LLC and Wyndham Hotel Management Inc.
Wyndham and its subsidiaries license the Wyndham name to approximately 90 independently owned hotels.
The FTC claims Wyndham and its subsidiaries failed to implement standard security measures, such as complex user IDs and passwords, firewalls and network segmentation between hotels and the corporate network. Additionally, the FTC says improper software configurations used by the hotel chain and its subsidiaries resulted in the improper storage of sensitive card information in clear readable text. The storing of sensitive payment card information also violates the Payment Card Industry Data Security Standard.
The FTC says the first breach occurred in April 2008, when cyberintruders gained access to a Phoenix Wyndham-branded hotel's local computer network that was connected to the Internet and the corporate network of Wyndham Hotels and Resorts.
Hackers accessed the corporate network of Wyndham's Hotels and Resorts subsidiary, and the property management system servers of 41 Wyndham-branded hotels.
The FTC claims hackers then installed memory-scraping malware on numerous property management system servers of the Wyndham-branded hotels to access files that contained large amounts of consumer card information. The breach allegedly led to the compromise of more than 500,000 payment cards and the export of hundreds of thousands of account numbers.
After the breach, the FTC charges, Wyndham failed to remedy known security vulnerabilities; failed to employ reasonable measures to detect unauthorized access; and failed to follow proper incident response procedures.
In March 2009, intruders again gained unauthorized access to Wyndham Hotels and Resorts' network, using techniques similar to those employed in the first breach. In addition to installing memory-scraping malware, hackers also reconfigured software to obtain clear text files containing the payment card numbers. Information at 39 Wyndham-branded hotels on more than 50,000 accounts was exposed and allegedly used to make fraudulent charges.
Later in 2009, hackers again installed memory-scraping malware and compromised Wyndham Hotels and Resorts' network and the property management system servers of 28 Wyndham-branded hotels, the FTC claims. Approximately 69,000 card accounts were exposed, which resulted in more fraudulent purchases.
The FTC's complaint was filed in the U.S. District Court for the District of Arizona.