Risk
6/27/2012
12:36 PM
50%
50%

FTC Sues Wyndham Hotels Over Data Security Failures

Hotel chain slammed for poor information security practices, leading to attackers obtaining 600,000 credit card numbers and committing millions of dollars in fraud.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
The Federal Trade Commission Tuesday announced that it had filed a suit against global hospitality company Wyndham Worldwide Corporation, as well as three of its subsidiaries. The FTC has accused Wyndham of failing to institute a robust information security program, even in the wake of a major exploit. Ultimately, attackers breached its networks three times in just two years, resulting in the exposure of over 600,000 credit card accounts and $10.6 million in fraudulent credit card charges, the FTC alleged.

"Wyndham and its subsidiaries failed to take security measures such as complex user IDs and passwords, firewalls and network segmentation between the hotels and the corporate network," according to the FTC's complaint. "In addition, the defendants allowed improper software configurations which resulted in the storage of sensitive payment card information in clear readable text." The defendants in the case are Wyndham Worldwide Corp., as well as its subsidiary, Wyndham Hotel Group, which franchises and manages approximately 7,000 hotels, as well as two subsidiaries, Wyndham Hotels and Resorts and Wyndham Hotel Management.

Wyndham Worldwide spokesman Michael Valentino said via email that his company plans to fight the FTC's enforcement action. "We regret the FTC's recent decision to pursue litigation, as we have fully cooperated in its investigation and believe its claims are without merit. We intend to defend against the FTC's claims vigorously," he said.

[ Read LinkedIn Security Breach Triggers $5 Million Lawsuit. ]

Valentino said the company overhauled its information security practices in the wake of the attacks, and also dismissed claims that anyone had been harmed by the breaches. "At the time of these incidents, we made prompt efforts to notify the hotel customers whose information may have been compromised, and offered them credit monitoring services," he said. "To date, we have not received any indication that any hotel customer experienced a financial loss as a result of these attacks."

According to the FTC, however, Wyndham's data security practices facilitated the breaches, which the agency said "led to fraudulent charges on consumers' accounts, millions of dollars in fraud loss, and the export of hundreds of thousands of consumers' payment card account information to an Internet domain address registered in Russia."

The FTC is suing Wyndham for "unfair and deceptive" practices, owing to promises made in the company's privacy policy, which reads, in part: "We recognize the importance of protecting the privacy of individual-specific (personally identifiable) information collected about guests, callers to our central reservation centers, visitors to our Web sites, and members participating in our Loyalty Program." According to the FTC, "the case against Wyndham is part of the FTC's ongoing efforts to make sure that companies live up to the promises they make about privacy and data security."

According to the FTC, the first of the three Wyndham breaches began in April 2008, when attackers gained access to the network of a Wyndham hotel in Phoenix. "Because of Wyndham's inadequate security procedures, the breach gave the intruders access to the corporate network of Wyndham's Hotels and Resorts subsidiary, and the property management system servers of 41 Wyndham-branded hotels," according to the FTC's complaint. As a result of the breach, the FTC said that attackers were able to install memory-scraping malware on numerous systems, obtain guest names, and also compromise more than 500,000 credit card accounts. Much of that purloined data was then exfiltrated to a website domain registered in Russia.

Memory-scraping malware, also known as "RAM scrapers," refers to malicious code that's able to retrieve sensitive data from a system's volatile memory. Such malware has gained favor in recent years, especially for exploiting point-of-sale systems, because attackers can selectively capture credit card data while avoiding the capture of unwanted data, all of which helps the attack remain undetected.

The FTC accused Wyndham of failing to address the security vulnerabilities highlighted by the first breach, as well as failing to implement technology that could have detected unauthorized access to its networks. As a result, the agency said, in March 2009 attackers--"using similar techniques as in the first breach"--again gained access to the Wyndham Hotels and Resorts network.

This time, "in addition to using memory-scraping malware, they reconfigured software at the Wyndham-branded hotels to obtain clear text files containing the payment card account numbers of guests," said the FTC. "In this second incident, the intruders were able to access information at 39 Wyndham-branded hotels for more than 50,000 consumer payment card accounts and use that information to make fraudulent charges using consumers' accounts."

In the third attack, finally, which occurred later in 2009, the attackers again installed memory-scraping malware, ultimately exploiting 28 Wyndham-branded hotels' servers. "As a result of this third incident, the intruders were able to access information for approximately 69,000 consumer payment card accounts and again make fraudulent purchases on those accounts," said the FTC.

Employees and their browsers might be the weak link in your security plan. The new, all-digital Endpoint Insecurity Dark Reading supplement shows how to strengthen them. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5395
Published: 2014-11-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Huawei HiLink E3276 and E3236 TCPU before V200R002B470D13SP00C00 and WebUI before V100R007B100D03SP01C03, E5180s-22 before 21.270.21.00.00, and E586Bs-2 before 21.322.10.00.889 allow remote attackers to hijack the authentication of users ...

CVE-2014-7137
Published: 2014-11-21
Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM before 3.6.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) contactid parameter in an addcontact action, (2) ligne parameter in a swapstatut action, or (3) project_ref parameter to projet/tasks/contact.php; (4...

CVE-2014-7871
Published: 2014-11-21
SQL injection vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev36 and 7.6.x before 7.6.0-rev23 allows remote authenticated users to execute arbitrary SQL commands via a crafted jslob API call.

CVE-2014-8090
Published: 2014-11-21
The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nes...

CVE-2014-8469
Published: 2014-11-21
Cross-site scripting (XSS) vulnerability in Guests/Boots in AdminCP in Moxi9 PHPFox before 4 Beta allows remote attackers to inject arbitrary web script or HTML via the User-Agent header.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?