FTC sues Wyndham hotels over data breaches

The U.S. Federal Trade Commission has filed a lawsuit against hotel chain Wyndham Worldwide and three subsidiaries for allegedly storing data in plain text and other security failures that enabled hackers to access more than 600,000 payment card accounts in three data breaches in less than two years.

The hackers exported the payment card account data to an Internet domain address registered in Russia, according to the FTC lawsuit (PDF). They then used the data stolen from Wyndham's data center in Phoenix to make transactions, resulting in fraud losses of more than $10.6 million, the suit says.

The FTC suit alleges that Wyndham's privacy policy misrepresented the security measures the company and its subsidiaries took to protect customer personal information. In addition to storing card data in plain text, the hotel chain failed to: use firewalls; remedy known security vulnerabilities; update and patch software; change default user IDs and passwords on servers; and require strong user passwords, the FTC alleges.

The company's privacy policy on its Web site states, "We recognize the importance of protecting the privacy of individual-specific (personally identifiable) information collected about guests, callers to our central reservation centers, visitors to our Web sites, and members participating in our Loyalty Program (collectively, "Customers")...." the suit notes. The security practices were unfair and deceptive and violated the FTC Act, the suit alleges.

Wyndham had cooperated with the FTC and offered customers credit monitoring services after the breaches, said spokesman Michael Valentino. "To date, we have not received any indication that any hotel customer experienced a financial loss as a result of these attacks," he said in a statement provided to CNET. "Since these events, we have made significant enhancements to our information security, and have assisted franchised and managed Wyndham Hotels and Resorts-brand hotels in enhancing their information security.

"We regret the FTC's recent decision to pursue litigation, as we have fully cooperated in its investigation and believe its claims are without merit. We intend to defend against the FTC's claims vigorously, and do not believe the outcome of this litigation will have a material adverse effect on our company," the statement said. "In a time when cyberattacks on private and public institutions are on the rise globally, safeguarding customer information remains a top priority at Wyndham Worldwide. Unfortunately, as this matter is now the subject of pending litigation, it would be inappropriate for us to provide further comment at this time."

In the first breach, hackers were able to get into the network of a local Wyndham hotel in Phoenix in April 2008, and from there into the property management system servers of other hotels, and they used "memory-scraping" malware to steal data, according to the FTC suit filed in federal district court in Arizona.

In March 2009, hackers gained access to Wyndham systems via a service provider's administrator account in the Wyndham data center in Phoenix and had access to the network for about two months, the lawsuit says. The hackers used the malware to get the data and reconfigured software to cause the hotel computer systems to create clear text files containing the payment card account numbers of customers, according to the suit.

In the third breach, hackers compromised an administrator account in late 2009 and, again, the hotel learned about the intrusion from a credit card issuer in January 2010, the lawsuit says.

Tons of companies have data breaches, but not many generate a lawsuit from the government. Earlier this year, credit card processor Global Payments said as many as 1.5 million credit card accounts were compromised. And a few weeks ago, LinkedIn, eHarmony, and Last.fm confirmed that user passwords -- potentially as many as 8 million -- were stolen and ended up posted to a hacker forum.

An attorney specializing in high-tech law questioned the FTC's authority to enforce minimum security practices at companies and noted that the consumer privacy language on Wyndham's Web site that the FTC says is deceptive and unfair is actually standard across the Internet. "The FTC has decided not only that there are minimal standards for security, but that they are the policing agent for that, all without Congressional approval," said Eric Goldman, assistant law professor at Santa Clara University School of Law.

Update, 11:20 a.m. PT: Adds attorney comment, background on other cases.
Update, 10:40 a.m. PT: Adds more details and Wyndham comment.