UPDATE: The U.S. Federal Trade Commission has fined Wyndham Hotels for a string of data breaches that resulted in information on hundreds of thousands of customers being lost to cyber criminals.
An FTC complaint, filed on June 26, 2012, asks for “permanent injunctive relief” against Wyndham for failing to maintain what the FTC calls “reasonable security” necessary to keep intruders from compromising the network of the hotel chain. Wyndham’s failure to protect its IT network laid the groundwork for a series of three data breaches in which cyber criminals based in Russia stole financial information later used to generate $10.6 million in fraudulent purchases. A Phoenix, Arizona, data center used by Wyndham was the source of the breach, the FTC said.
The complaint describes an epic failure on the part of Wyndham. It alleges that Wyndham Worldwide failed to adequately protect a property management system that was used to manage some 7,000 hotels under the Wyndham Hotels and Resorts under the Days Inn, Ramada and Super 8 brands. Among other things, the Wyndham is alleged to have used default administrative user names and passwords on servers that connected to the Hotels and Resorts network. Also, Wyndham Worldwide stored customer credit card data in plain text, and failed to adequately segregate the property management system from the company’s corporate intranet and the public Internet. The result was a string of security breaches between April 2008 and January 2010 and the theft of customer data.
In a statement, Wyndham Worldwide spokesman Michael Valentino said the company was disappointed with the government’s decision to pursue a legal case against the hospitality chain. “We cooperated fully with the Federal Trade Commission (FTC) regarding its investigation of previously reported data breaches that occurred from 2008 to 2010,” Valentino wrote. “At the time of these incidents, we made prompt efforts to notify the hotel customers whose information may have been compromised, and offered them credit monitoring services. To date, we have not received any indication that any hotel customer experienced a financial loss as a result of these attacks,” he wrote.
The company said it has improved its information security practices and plans to challenge the suit.
“We intend to defend against the FTC’s claims vigorously, and do not believe the outcome of this litigation will have a material adverse effect on our company.”
The details provided in the FTC filing paint a different picture, however. Beginning in April, 2008, hackers were able to hop scotch from a single Wyndham Hotel’s network to the entire Hotels and Resorts network through the company’s central property management system. Using a brute force attack, the hackers compromised an administrative account on Hotels and Resorts network. Wyndham, the complaint alleges, failed to notice the intrusion attempt, despite the fact that the hackers guessing resulted in more than 200 administrative accounts getting locked out in the process. Among other things, the company lacked an adequate inventory of its IT assets and was thus failed to correlate the failed login attempts to just two computers in the company’s Phoenix data center.
The first attack went undetected for four months, the FTC complaint alleges. In the end, the property management system servers of 41 Wyndham-branded hotels were involved in the breach and payment information on 500,000 accounts was compromised. Much of that information was exported to a server on a domain registered in Russia.
Wyndham failed to eradicate the information stealing malware used in the first attack from more than 30 properties. It was then leveraged in a second, March, 2009 attack to steal more information and configure the hotel chain’s property management system to translate payment cards used at its hotels into clear text files. Information on another 50,000 customers was stolen in the second breach.
Even after two breaches, Wyndham failed to take adequate steps to prevent the subsequent compromise of the Hotels and Resorts’ network. The third breach, in late 2009, saw hackers again moving between a local Wyndham hotel network to the company’s property management system. Again, the attackers installed memory scraping malware to access payment card account information held by the hotels. Wyndham did not learn about the breach until the company was contacted by a card issuer in January, 2010. In all, the FCT claims that an additional 69,000 individual accounts were exposed.
FTC is charing Wyndham with violations of the FTC Act, which prohibits “unfair, or deceptive acts or practices in or affecting commerce.”