The Federal Trade Commission filed has filed a suit against Wyndham Worldwide Corporation and three of its subsidiaries for
alleged data security failures that led to three data breaches at
Wyndham hotels in less than two years.
The FTC alleges that these
failures led to fraudulent charges on consumers' accounts, millions of
dollars in fraud loss, and the export of hundreds of thousands of
consumers' payment card account information to an Internet domain
address registered in Russia.
The case against Wyndham is part of the FTC's ongoing efforts to make sure that companies live up to the promises they make about privacy and data security
In its complaint, the FTC alleges that Wyndham's privacy policy
misrepresented the security measures that the company and its
subsidiaries took to protect consumers' personal information, and
that its failure to safeguard personal information caused substantial
consumer injury. The agency charged that the security practices were
unfair and deceptive and violated the FTC Act.
Since 2008 Wyndham has claimed, on its Wyndham Hotels and Resorts
subsidiary's website that, "We recognize the importance of protecting
the privacy of individual-specific (personally identifiable) information
collected about guests, callers to our central reservation centers,
visitors to our Web sites, and members participating in our Loyalty
Program …"
According to the FTC's complaint, the repeated security failures
exposed consumers' personal data to unauthorized access. Wyndham and its
subsidiaries failed to take security measures such as complex user IDs
and passwords, firewalls and network segmentation between the hotels and
the corporate network, the agency alleged. In addition, the defendants
allowed improper software configurations which resulted in the storage
of sensitive payment card information in clear readable text.