Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
A major hotel chain and its subsidiaries have been sued for allegedly failing to secure the financial information of its guests which led to fraudulent charges of more than $US10 million and the theft of hundreds of thousands of credit card numbers.
The complaint centers on three data breaches in as many years. In each case, the intruders made off with financial information by breaching the company's data centre.
The Federal Trade Commission alleged that Wyndham, which operates 7200 hotels and 93,000 vacation properties worldwide, and its three subsidiaries -- Wyndham Hotel Group, Wyndham Hotels and Resorts, and Wyndham Hotel Management -- "misrepresented the security measures that the company and its subsidiaries took to protect consumers' personal information and that its failure to safeguard personal information caused substantial consumer injury."
The "property management systems" of all Wyndham-branded hotels, according to the FTC, were managed by the defendants and are connected to the corporate network.
In the first breach, which occurred in April 2008, the hackers gained an initial foothold onto a Phoenix Wyndham hotel's network, the FTC said.
Then, they pivoted to one of the subsidiary's corporate networks, which granted them access to the property management servers belonging to 41 other Wyndham properties.
In total, the thieves compromised a half-million credit card accounts, shipping many of those numbers -- which were being stored in clear text -- off to a hacker-owned server in Russia.
The following year, criminals used a similar method to latch on to one of the subsidiary's networks, where they installed "memory-scraping" malware to steal another 50,000 card numbers from 39 hotels. Then, in early 2010, Wyndham announced yet another breach involving 28 hotels and 69,000 accounts.
The FTC is seeking unspecified relief for incidents which it said resulted in $10.6 million in phony card charges and other expenses.
"Consumers and businesses suffered financial injury, including, but not limited to, unreimbursed fraudulent charges, increased costs, and lost access to funds or credit," the lawsuit said. "Consumers and businesses also expended time and money resolving fraudulent charges and mitigating subsequent harm."
Michael Valentino, a Wyndham spokesman, told SCMagazine.com via a statement on Tuesday that the company has yet to learn of any fraud that resulted from the breaches. He said he was surprised to learn of the lawsuit.
"We regret the FTC's recent decision to pursue litigation, as we have fully cooperated in its investigation and believe its claims are without merit," Valentino said. "We intend to defend against the FTC's claims vigorously, and do not believe the outcome of this litigation will have a material adverse effect on our company."
For several years, the hospitality industry has proven a rich target for cyber crime.
This article originally appeared at scmagazineus.com
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.