In the latest installment of a long and winding court case related to multiple data beaches at Wyndham Worldwide several years ago, an appellate court has upheld the authority of the Federal Trade Commission to punish the hotel chain for lax security practices that allegedly led to the breaches.
The decision by the United States Court of Appeals for the Third Circuit upholds a decision y a lower court that denied Wyndham’s motion to dismiss a lawsuit brought by the FTC as a result of the data breaches, which date back to 2008. The suit followed a series of three attacks against Wyndham’s systems, which included the installation of RAM-scraping malware and the compromise of information belonging to more than 600,000 consumers.
The FTC in 2012 sued Wyndham on behalf of consumers, alleging that the company’s weak information security policies and practices contributed directly to the breaches and the resulting $10.6 million in fraudulent charges that hit victims’ credit cards. The details of the breaches show that the attackers had relatively easy access to the company’s networks for some time. Wyndham had systems with default user names and passwords exposed to the Internet, had no real inventory of its systems, and didn’t follow an incident response plan, the opinion says.
“In April 2008, hackers first broke into the local network of a hotel in Phoenix, Arizona, which was connected to Wyndham’s network and the Internet. They then used the brute-force method— repeatedly guessing users’ login IDs and passwords—to access an administrator account on Wyndham’s network. This enabled them to obtain consumer data on computers throughout the network. In total, the hackers obtained unencrypted information for over 500,000 accounts, which they sent to a domain in Russia,” the opinion says.
“In March 2009, hackers attacked again, this time by accessing Wyndham’s network through an administrative account. The FTC claims that Wyndham was unaware of the attack for two months until consumers filed complaints about fraudulent charges. Wyndham then discovered ‘memory- scraping malware’ used in the previous attack on more than thirty hotels’ computer systems. The FTC asserts that, due to Wyndham’s ‘failure to monitor [the network] for the malware used in the previous attack, hackers had unauthorized access to [its] network for approximately two months’.”
Wyndham in its motion to dismiss the FTC’s suit was maintaining that the commission does not have the legal authority to punish the company. The FTC said that Wyndham engaged in unfair and deceptive practices by claiming that it used “industry standard practices” to secure customer data, though the attackers were able to steal unencrypted data belonging to tens of thousands of customers.
“The FTC alleges that, contrary to this policy, Wyndham did not use encryption, firewalls, and other commercially reasonable methods for protecting consumer data,” the appellate court’s opinion says.
The court’s decision effectively affirms the FTC’s authority to impose punishments on companies whose weak security practices lead to data breaches and consumer losses.