"Wyndham and its subsidiaries failed to take security measures such as complex user IDs and passwords, firewalls and network segmentation between the hotels and the corporate network," according to the FTC's complaint. "In addition, the defendants allowed improper software configurations which resulted in the storage of sensitive payment card information in clear readable text." The defendants in the case are Wyndham Worldwide Corp., as well as its subsidiary, Wyndham Hotel Group, which franchises and manages approximately 7,000 hotels, as well as two subsidiaries, Wyndham Hotels and Resorts and Wyndham Hotel Management.
Wyndham Worldwide spokesman Michael Valentino said via email that his company plans to fight the FTC's enforcement action. "We regret the FTC's recent decision to pursue litigation, as we have fully cooperated in its investigation and believe its claims are without merit. We intend to defend against the FTC's claims vigorously," he said.
Valentino said the company overhauled its information security practices in the wake of the attacks, and also dismissed claims that anyone had been harmed by the breaches. "At the time of these incidents, we made prompt efforts to notify the hotel customers whose information may have been compromised, and offered them credit monitoring services," he said. "To date, we have not received any indication that any hotel customer experienced a financial loss as a result of these attacks."
According to the FTC, however, Wyndham's data security practices facilitated the breaches, which the agency said "led to fraudulent charges on consumers' accounts, millions of dollars in fraud loss, and the export of hundreds of thousands of consumers' payment card account information to an Internet domain address registered in Russia."
According to the FTC, the first of the three Wyndham breaches began in April 2008, when attackers gained access to the network of a Wyndham hotel in Phoenix. "Because of Wyndham's inadequate security procedures, the breach gave the intruders access to the corporate network of Wyndham's Hotels and Resorts subsidiary, and the property management system servers of 41 Wyndham-branded hotels," according to the FTC's complaint. As a result of the breach, the FTC said that attackers were able to install memory-scraping malware on numerous systems, obtain guest names, and also compromise more than 500,000 credit card accounts. Much of that purloined data was then exfiltrated to a website domain registered in Russia.
Memory-scraping malware, also known as "RAM scrapers," refers to malicious code that's able to retrieve sensitive data from a system's volatile memory. Such malware has gained favor in recent years, especially for exploiting point-of-sale systems, because attackers can selectively capture credit card data while avoiding the capture of unwanted data, all of which helps the attack remain undetected.
The FTC accused Wyndham of failing to address the security vulnerabilities highlighted by the first breach, as well as failing to implement technology that could have detected unauthorized access to its networks. As a result, the agency said, in March 2009 attackers--"using similar techniques as in the first breach"--again gained access to the Wyndham Hotels and Resorts network.
This time, "in addition to using memory-scraping malware, they reconfigured software at the Wyndham-branded hotels to obtain clear text files containing the payment card account numbers of guests," said the FTC. "In this second incident, the intruders were able to access information at 39 Wyndham-branded hotels for more than 50,000 consumer payment card accounts and use that information to make fraudulent charges using consumers' accounts."
In the third attack, finally, which occurred later in 2009, the attackers again installed memory-scraping malware, ultimately exploiting 28 Wyndham-branded hotels' servers. "As a result of this third incident, the intruders were able to access information for approximately 69,000 consumer payment card accounts and again make fraudulent purchases on those accounts," said the FTC.
Employees and their browsers might be the weak link in your security plan. The new, all-digital Endpoint Insecurity Dark Reading supplement shows how to strengthen them. (Free registration required.)