The FTC sued Wyndham in 2012, after the hotel chain suffered three cyber breaches. In April 2008, Wyndham suffered a cyber breach where a hacker was able to connect to the company’s Phoenix network by guessing the password for an administrator account. The hackers were able to gain access to the unencrypted information of over 500,000 accounts. Wyndham’s cyber security policy said that account information was encrypted, but it actually wasn’t. Then in March 2009, a hacker gained access to more customer data through an administrator account, and they were able to change the company’s systems to create easily readable text files of their customers’ credit and debit card account numbers. The hackers went unnoticed for two months, until Wyndham discovered the same memory scraping malware used by the hackers in their previous attack. In late 2009, hackers again breached Wyndham through an administrator account. The company only learned of this attack when a credit card company investigated complaints from cardholders.
Wyndham lost at least $10.6 million in the aftermath of these breaches, not including the losses due to unreimbursed financial charges, denial of access to funds, and the funds spent on reversing all of the fraudulent charges the hackers made. The hackers gained access to the payment card information of over 619,000 customers. The hackers were traced back to Russia, but Wyndham had trouble figuring out how they even got in.
The FTC didn’t claim that Wyndham used weak firewalls and security protections, but rather that the hotel chain lacked security controls in all together in some places. In one instance, the FTC argued that Wyndham failed to enact basic cyber security measures, such as changing default passwords. In one example, the username used to access Wyndham’s network was “micros,” as was the password. The FTC also said that Wyndham knowingly allowed at least one hotel to connect to the company’s network with an out of date operating system that had not received a security update in over three years, which was a risk to their customers. According to the FTC, Wyndham didn’t even know that the hackers were in their networks while their customers’ data was being sold online to identity thieves. The company also did not follow proper incident response procedures, which was indicated when the hackers were able to use similar methods three times to breach into the network. Wyndham failed to monitor its network for the malware used in previous intrusions, the FTC said.
Although Wyndham was a victim of the cyber breach, the court ruled that the company should have had fair cyber security practices in place to protect consumers. This ruling is a victory for consumers who worry about their data being stolen due to company carelessness. The ruling in favor of the FTC now incentives companies to spend more time and money on developing a comprehensive cyber security plan that puts consumers first. A third party cyber security solution provider can help companies have fair cyber security practices. EiQ Networks’ SOCVue security monitoring solution scans for unauthorized software and wireless access points, ensures anti-malware defenses are in place, and identifies risky network traffic. EiQ also offers industry-specific compliance reports. With EiQ, companies can gain insight into their IT infrastructure and keep their customers’ data safe.