Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

8/24/2015
03:00 PM
50%
50%

Ruling: FTC Can Hold Wyndham Liable For Data Breach

Appeals Court ruling solidifies Federal Trade Commission's authority to take action against companies whose data breaches expose customer information.

Wyndham Worldwide's attempt to have a lawsuit by the US Federal Trade Commission (FTC) dismissed that would make the hotel chain liable for three data breaches over two years that exposed customer payment card information has failed.

Today, the Third U.S. Circuit Court of Appeals ruled that the FTC can move forward with its lawsuit that alleges Wyndam should be held responsible for leaving its customer data unprotected -- with no firewalling and out-of-date, vulnerable software. The agency is calling for the company to beef up security and provide reparations to customers as appropriate.

The ruling in effect gives the FTC the power to regulate the security practices of businesses

Read more about the latest on the FTC and the court ruling here and here

 

 

Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ColbyC138
50%
50%
ColbyC138,
User Rank: Apprentice
8/26/2015 | 6:45:26 PM
Government Shakedown for Self-Funding
The FTC and state DOJ gangs' jurisdiction and standing to sue companies for being breached has long been questioned. This ruling paves the way to a lot of government action following a security breach. Not only will companies have to deal with the remediation, regulatory fines and civil lawsuits following a breach, but will also have to defend against criminal suits from multiple agencies. The price of having poor security and being compromised is about to get a lot more expensive. 

This was a key case for them to win as it will open up a significant revenue stream in the medium to long term. But, it is a really dangerous precedent. All of these post breach lawsuits and shakedowns are going to be financially cripling to organizations trying to recover. I don't really see the value in the government doing this as it does not help to solve the problem, except to provide yet another disincentive for being hacked and we don't really need any moreof those. It seems that this is all about obtaining revenue. Should this be the place of government - self funding through lawsuits? It sounds dangerous.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
8/25/2015 | 7:13:03 AM
Avid Life Media
Oof. This is bad news for Ashley Madison/Avid Life Media. While this hotel chain may have been liable for some details, exposing the information of over 37 million individuals is far worse, especially considering the nature of the information. I think rulings like this will be cited by a lot of lawyers that go after ALM in the near future. It's going to kill the company. 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/24/2015 | 4:48:17 PM
Yup.
I've yet to read the ruling (though I look forward to taking a look), but this kind of decision isn't particularly surprising.  The FTC has extremely broad powers to regulate and enforce fair trade, and the respective definitions of what "fair trade" and "unfair and/or deceptive trade practices" are very broad indeed.
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
Preventing PTSD and Burnout for Cybersecurity Professionals
Craig Hinkley, CEO, WhiteHat Security,  9/16/2019
NetCAT Vulnerability Is Out of the Bag
Dark Reading Staff 9/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3738
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Improper Verification of Cryptographic Signature vulnerability. A malicious remote attacker could potentially exploit this vulnerability to coerce two parties into computing the same predictable shared key.
CVE-2019-3739
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to Information Exposure Through Timing Discrepancy vulnerabilities during ECDSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover ECDSA keys.
CVE-2019-3740
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Information Exposure Through Timing Discrepancy vulnerabilities during DSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover DSA keys.
CVE-2019-3756
PUBLISHED: 2019-09-18
RSA Archer, versions prior to 6.6 P3 (6.6.0.3), contain an information disclosure vulnerability. Information relating to the backend database gets disclosed to low-privileged RSA Archer users' UI under certain error conditions.
CVE-2019-3758
PUBLISHED: 2019-09-18
RSA Archer, versions prior to 6.6 P2 (6.6.0.2), contain an improper authentication vulnerability. The vulnerability allows sysadmins to create user accounts with insufficient credentials. Unauthenticated attackers could gain unauthorized access to the system using those accounts.