Data security blunders earn hotel chain FTC lawsuit
The FTC has charged a major hotel chain with mismanaging sensitive financial data.
Wyndham Worldwide Corporation, one of the world's largest hospital industry holding companies, is the latest object of a Federal Trade Commission (FTC) consumer data protection probe. Government officials officially filed complaint against the organization this week, holding the organization responsible for the mismanagement of customer credit card numbers and the millions of dollars in fraudulent charges that ensued.
Three breaches in two years
The FTC lawsuit follows several years of serious data security incidents and questionable resolution tactics from Wyndham. According to the official complaint, the first large-scale breach occurred in April 2009 as hackers circumvented computer network defenses at one of the company's Phoenix-area hotels.
Once inside the systems, the illicit programmers installed "memory-scraping" malware on several servers that ultimately allowed them to discover a database of customer credit card numbers that stored in plain text format. Leaving this sensitive information unencrypted was later deemed to be Wyndham's first mistake.
Anxieties were exponentially escalated when it was learned that the hackers had not only gained access to more than 500,000 customer accounts, but exported the financial data to a website domain registered in Russia.
In the FTC complaint, the company was taken to task for not responding to this serious incident more sincerely.
"Wyndham still failed to remedy known security vulnerabilities, failed to employ reasonable measures to detect unauthorized access and failed to follow proper incident response procedures," officials stated. "As a result, Wyndham's security was breached two more times in less than two years."
In March of 2009, hackers used a similar brand of memory-scraping malware to access an additional 50,000 customer credit card numbers from 39 separate hotels to rack up millions of dollars in fraudulent charges. Later that year, cybercriminals struck again in a third incident that saw 69,000 consumer payment card accounts stripped from the servers of 28 different hotels.
While the severity of the damages are notable in their own right, what struck FTC officials as particularly hard to reconcile was the misleading information provided to consumers. The agency alleges that the privacy policy posted on Wyndham websites has consistently misrepresented the depth of data security precautions taken by the company and its subsidiaries. FTC investigators noted a lack of fundamental password protections, firewalls and segmentation between the networks at Wyndham-branded hotels.
Responding to disaster
Despite the long list of allegations leveled against it, Wyndham seems determined to clear its name.
"We regret the FTC's recent decision to pursue litigation, as we have fully cooperated in its investigation and believe its claims are without merit," company spokesman Michael Valentino confirmed to InformationWeek via email. "We intend to defend against the FTC's claims vigorously."
Valentino went on to say that the hotel chain fundamentally overhauled its IT practices following the attacks and has not received any indication that hotel customers have incurred financial losses. Customers were promptly notified of potential dangers at the time and offered credit monitoring services as well.
Nevertheless, the FTC lawsuit signals a disturbing trend. Taken alongside separate breaches suffered by Global Payments, LinkedIn and others, the Wyndham incident suggests that larger companies many not be allocating their comparatively superior resources for effective data protection.
"It's unfortunate that the stick of the FTC is required to force the change in mindset and action for some organizations," network security executive Mike Reagan told CIO Today. "But for others, they're recognizing the importance of this strategic imperative and are taking the right steps to increase their visibility and response capabilities to minimize loss and protect their customers and businesses."
Data Security News from SimplySecurity.com by Trend Micro
Spotlight
Cloud Computing
- Cloud security group develops third-party certification program
- US makes large investment in cyber weaponry
- Wall Street has data security concerns over Bloomberg reporting
- Security in backups means more than just encryption
Virtualization
- Virtualization-specific challenges could threaten data security
- Evolving threats put security skills in high demand
- Virtualization security requires education, access control management
- Tips for launching effective virtual security tools
Internet Safety
- Virtualization-specific challenges could threaten data security
- Evolving threats put security skills in high demand
- Virtualization security requires education, access control management
- Tips for launching effective virtual security tools
Vulnerabilities & Exploits
CTO Insights
First Line of Defense
Newsletter
Stay up to date with the latest news and information on online threats.
Recent News
- DHS needs better sharing plan, experts say
- Cloud security group develops third-party certification program
- US makes large investment in cyber weaponry
- SEC may ask for more information after cyberattacks
Tag Cloud
cloud cloud computing cloud computing security Cloud Security Compliance & Regulations Consumerization Current News cybercrime Data Privacy data security Encryption Government Policy Internet Protection Internet Safety Internet Safety - DO NOT USE Internet Security Malware Mobile Security Mobility Policy Policy - DO NOT USE Privacy Privacy & Policy Private Cloud Public Cloud Reports Research Spotlight threat intelligence threat research Trend Labs Underground Economy virtualization Vulnerabilities Vulnerabilities - DO NOT USE web security web threats
Comments
No comments yet