Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Database Security

6/27/2012
09:31 PM
50%
50%

FTC Takes On Wyndham For Security Lapses

Lawsuit alleges deceptive practice in privacy policy following three breaches in two years

In another sign that it is cracking down heavily on businesses that put consumer privacy at risk by failing to protect their sensitive data, the Federal Trade Commission (FTC) launched a lawsuit against hospitality company Wyndham Worldwide. The FTC accuses Wyndham of deceptive practices in the claims it made in its privacy, using three different breaches Wyndham suffered in the course of two years as evidence of failure to live up to promises to protect customer information.

"At the root of it the FTC is saying to Wyndham, 'You're not living up to your privacy statement and that's unfair and deceptive,'" says Todd Thiemann, senior director of product marketing for Vormetric,. "It should be a wakeup call to enterprises understanding they need to not just pay attention to PCI DSS, but make sure across the board that they're living up to they say about privacy protection in terms of what they're advertising to their customers.

The FTC complaint names three breaches in the case, occurring in 2008 and 2009. The first was a networked server breach that gave hackers the capability to install malware that exfiltrated half a million credit card numbers to a domain registered in Russia. Even after that incident, FTC claims Wyndham didn't do enough to prevent two additional breaches that gave hackers access in a similar method and resulted in more than 100,000 more customer details from being exported.

"In its complaint, the FTC alleges that Wyndham’s privacy policy misrepresented the security measures that the company and its subsidiaries took to protect consumers’ personal information, and that its failure to safeguard personal information caused substantial consumer injury," the FTC said in a release this week. "The agency charged that the security practices were unfair and deceptive and violated the FTC Act."

According to Torsten George, vice president of worldwide marketing for Agiliance, the suit is a clear sign to the security industry that it is no longer good enough to follow check-box compliance practices.

"You have to step up and really show that you care about security," he says. "And that it's really important once you get burned the first time to really dramatically change how you approach security within an organization."

He also believes that businesses will watch this case closely for clues as to how privacy policies should be written in the future. He believes that Wyndham was "naïve" in how it wrote its privacy policy, offering far too many safety guarantees in an environment rife with security breaches.

"I believe that this is a watershed event and that a lot of lawyers of commercial companies are currently reviewing their legal information on their websites," he says.

It could also be an important case in setting precedence about what constitutes due diligence on the behalf of companies offering privacy guarantees.

"The current FTC statements against Wyndham allege that Wyndham did not perform proper due diligence with respect to various areas of information security. The question most likely weighing on many organization’s minds as they watch this story unfold is, 'What constitutes proper due diligence?'" says Jason Rhykerd, consultant for SystemExperts Corporation, explaining it is an answer that is not as easy as we'd like to believe. "How can you be sure that one person’s best practices are the best practices for your organization? Due diligence is a relative term; properly inventorying assets and assessing risk will allow an organization to realize gaps and implement controls and/or mitigation processes and polices. "

He says that the "basics" like strong passwords, monitoring, and applying the rule of least privilege are still being missed today. It may take more actions like this from the FTC to convince organizations to pay more attention.

And the FTC may be happy to oblige. This is the third case this month that the agency has brought forward as it relates to data security. In two others, the FTC is suing two companies for exposing customer data through P2P downloads.

"It’s unfortunate that the stick of the FTC is required to force the change in mindset and action for some organizations," says Mike Reagan, chief marketing officer at LogRhythm. "But for others, they’re recognizing the importance of this strategic imperative and are taking the right steps to increase their visibility and response capabilities to minimize loss and protect their customers and businesses."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
6/29/2012 | 3:54:47 AM
re: FTC Takes On Wyndham For Security Lapses
One of the things that stood out in the FTC allegations was a lack of network segmentation that exposed multiple networks belonging to the chain. The whole thing makes me wonder if the risk assessments Wyndham was doing at the time were based on any kind of threat modeling.-
Brian Prince, InformationWeek/Dark Reading Comment Moderator
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3493
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
CVE-2021-3492
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
CVE-2020-2509
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 Build 20210202 and later Q...
CVE-2020-36195
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
CVE-2021-29445
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...