The Federal Trade Commission (FTC) filed suit Tuesday against the hospitality company Wyndham Worldwide and three of its subsidiaries, accusing them of data security failures that led to three breaches in less than two years.
The breaches led to fraudulent charges on consumer accounts, millions of dollars in fraud loss, and the export of hundreds of thousands of consumers’ card account information to an Internet domain address registered in Russia, the FTC alleges.
The company neglected to take security measures including employing complex user IDs and passwords; it also allowed improper software configurations that resulted in storing payment card information in clear readable text, according to the FTC.
Hackers were able to install “memory scraping” malware on numerous Wyndham-branded hotel system servers, the FTC claims.
In an e-mailed statement, Wyndham said it regretted the FTC’s decision to pursue litigation and that it believes the claims are without merit. It also stated that it had fully cooperated with the FTC during the agency’s investigations into breaches that occurred between 2008 and 2010.
After the breaches, Wyndham made “prompt efforts” to notify any customers who may have had data compromised and also offered them credit monitoring services, it said. The company also said it has made significant security enhancements, including assisting managed and franchised hotels in strengthening their security.
Wyndham added that to date, it had not learned of any customers experiencing a financial loss due to the breaches. “We intend to defend against the FTC’s claims vigorously,” it said.
photo by Carl M/flickr