The US Federal Trade Commission (FTC) has filed a lawsuit against Wyndham Worldwide, accusing the hospitality company of failing to adhere to suitable security protocols – actions which lead to the theft of 619,000 payment card accounts.
“Defendants’ failure to maintain reasonable security allowed intruders to obtain unauthorised access to the computer networks of Wyndham Hotels and Resorts, LLC, and several hotels franchised and managed by Defendants on three separate occasions in less than two years,” reads the lawsuit, which was filed June 26 (local time) in Arizona.
“Defendants’ security failures led to fraudulent charges on consumers’ accounts, more than $10.6 million in fraud loss, and the export of hundreds of thousands of consumers’ payment card account information to a domain registered in Russia.”
The news is further evidence of the importance of Payment Card Industry Data Security Standard (PCI DSS) compliance, and for businesses to ensure that they are taking the measures necessary to protect user data.
The FTC claims that Wyndham Worldwide’s security practices led to unnecessary exposure of customer details to unauthorised access and theft.
Payment card information stored on Wyndham databases was kept in clear, readable text, while account passwords were overly simplistic and easy to guess, according to the FTC.
Hackers first gained access to the Wyndham computer network in April 2008 after compromising an administrator account by using a brute force attack.
They then installed memory-scraping malware on the server, allowing them to steal payment card information from over 500,000 hotel guests.
The FTC goes on to say that even after this incident, Wyndham Worldwide failed to integrate proper security measures.
Hackers were then able to gain access to private information in May 2009, and again towards the end of that year, stealing the details of a further 119,000 credit cards.
Wyndham Worldwide has denied the charges and has claimed to have made significant security improvements since the incidents.
“We regret the FTC’s recent decision to pursue litigation, as we have fully cooperated in its investigation and believe its claims are without merit. We intend to defend against the FTC’s claims vigorously, and do not believe the outcome of this litigation will have a material adverse effect on our company,” reads a statement from Wyndham released to online security website CNET.
“In a time when cyberattacks on private and public institutions are on the rise globally, safeguarding customer information remains a top priority at Wyndham Worldwide.”