Wyndham hotels face FTC complaint after multi-hack attacks

Wyndham Hotels and Resort publicity photo The FTC said that more than half a million accounts had been compromised

Related Stories

Wyndham Worldwide faces an official complaint after hundreds of thousands of hotel customers' credit card details were posted to a Russian site.

The US Federal Trade Commission alleged that three data breaches had occurred at the group over less than two years.

It added that the firm and associated businesses had misrepresented the security measures that they had taken.

Wyndham said it was unaware of any customers losing money as a result of the breach.

According to the FTC, Wyndham Worldwide and three of its subsidiaries had failed to take security measures, such as firewalls, complex user IDs and passwords, and network segmentation between the hotels and their corporate network.

It added that "improper software configurations" had meant sensitive payment card information had been stored in clear readable text.

Memory-scrapers

As a result the FTC said that in April 2008 intruders had been able to gain access to computers belonging to the Wyndham's Hotels and Resorts subsidiary and 41 individual Wyndham-branded hotels.

It said the attackers had installed memory-scraping malware which had allowed them to access files containing payment card account information.

The agency said that more than half a million payment card accounts were compromised as a result, many of which subsequently appeared on a domain registered in Russia.

Despite the attack the FTC said that Wyndham had failed to remedy the vulnerabilities and had been breached a further two times in 2009, leading to tens of thousands more accounts being affected.

Wyndham hotel room Wyndham says it is not aware of any of its customers experiencing a financial loss

It added that the intruders had been able to make more than $10.6m (£6.8m) of fraudulent purchases as a consequence.

'Vigorous' defence

Wyndham Worldwide told the BBC it had fully co-operated with the FTC's investigation, but believed the agency's claims were without merit.

"At the time of these incidents, we made prompt efforts to notify the hotel customers whose information may have been compromised, and offered them credit monitoring services," said Michael Valentino.

"To date, we have not received any indication that any hotel customer experienced a financial loss as a result of these attacks. Since these events, we have made significant enhancements to our information security, and have assisted franchised and managed Wyndham Hotels and Resorts-brand hotels in enhancing their information security."

Mr Valentino added that the firm intended to defend itself against the FTC's charges "vigorously".

The US District Court for the District of Arizona will now decide whether to uphold the FTC's complaint and force Wyndham to pay compensation.

More on This Story

Related Stories

The BBC is not responsible for the content of external Internet sites

More Technology stories

RSS

Features & Analysis

BBC Future

(USAF)

Secrets of the aircraft boneyards

The vast storage sites for surplus planes Read more...

Programmes

  • A screenshot from Goat SimulatorClick Watch

    The goat simulator which started as a joke but became a surprising hit, plus other tech news

BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.