Feds Investigate $10M Wyndham Hotel Chain Hack

A series of security breaches has exposed the credit card details of Wyndham hotel customers. As a result, the company must face the ire of the Federal Trade Commission (FTC).

Hackers apparently breached the hotel chain's secured data networks on three separate occasions, starting in April 2008. The first attack was the largest and gave the hackers access to hotel guest data stored on the system.

Because the data wasn't encrypted, the attackers were able to utilize information associated with an estimated 500,000 credit cards, which they relayed to a Russian-based site.

Wyndam came under attack by hackers twice more, in 2009. On these occasions hackers were somewhat less successful, taking data from 50,000 accounts, and again from 69,000 customer accounts, respectively.

Stolen Cards Hit For $10 Million

All in all, the FTC estimates that the fraudsters who received the stolen card details made a total of $10.6 million in unauthorized transactions. Though the card holders will most often not be required to pay these charges, the attacks caused great worry and inconvenience. (Source: ftc.gov)

The FTC is now taking Wyndham Worldwide Commission, the hotel chain's parent company, to court on two separate counts.

One covers the company's sloppy security measures, which it failed to fix even after the first attack.

This is classed as behavior that "caused or [is] likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves."

The second count covers Wyndham's promise to its customers that it would protect their personal data.

According to the FTC, making such claims but not properly dealing with the security risks was "false or misleading and constitute[s] deceptive acts or practices."

Wyndham Denies Breaking Law

That Wyndham suffered multiple attacks and appears not to have learned from the first incident may well count against the company in court.

The FTC's main demand is that the court force Wyndham to overhaul its security systems and live up to its privacy promises, with the threat of legal penalties if it fails to do so.

However, the commission hasn't ruled out asking the court to issue fines and compensation orders right away.

Wyndham says it intends to defend itself against the charges. It points out that it has yet to receive any reports of customers suffering financial losses from the attacks. (Source: informationweek.com)