Lax corporate security allowed hackers to steal credit card and other personal information from more than 600,000 customers of Wyndham Worldwide hotels, resulting in at least $10.6 million in fraudulent charges, the Federal Trade Commission alleged in a lawsuit Tuesday.
The FTC action marked the first time it had sued a major company for failing to adequately secure customer information, the commission said. Dozens of similar cases over the past decade, against Microsoft, BJ’s Wholesale Club and others, resulted in agreements in which companies accepted stricter security measures.
The FTC lawsuit, filed in U.S. District Court in Arizona, alleges numerous shortcomings in security practices by Wyndham and its subsidiaries, including the failure to erect firewalls, use appropriate passwords or configure software to keep credit card information secure.
The Wyndham systems were so vulnerable that hackers were able to use a primitive “brute force” attack in which they essentially guessed the password to an administrator’s account and used the resulting access to scour the system for personal data for months, the suit said. Much of the data ended up on an Internet domain registered in Russia, which experts say is a major hub of cybercrime.
Maneesha Mithal, associate director of the FTC’s division of privacy and identity protection, said the security failings were “obvious.” She added: “We don’t bring cases that we think are close calls.”
Wyndham Worldwide, based in Parsippany, N.J., said Tuesday that it had cooperated with the FTC investigation and called the allegations in the lawsuit “without merit.” A company statement added: “We intend to defend against the FTC’s claims vigorously, and do not believe the outcome of this litigation will have a material adverse effect on our company.”
The Wyndham statement also said that the company had made “significant enhancements to our information security” since the incidents, which occurred between 2008 and 2010. The company said it knew of no instance in which a hotel customer suffered a financial loss from the data breaches.
Federal officials and cybersecurity experts have warned for years about the mounting threat of theft of personal information by hackers, many based in Russia and China.
In Tuesday’s suit, the FTC argued that Wyndham’s failure to maintain reasonable security measures violated its own stated policy about protecting consumer information; this resulted in “deceptive statements” to consumers. More broadly, the commission said Wyndham had not kept up with industry standards in the rapidly evolving field of cybersecurity.
In one case, Wyndham employees using a program made by software maker Micros Systems relied on the word “micros” as both the user name and password to an account, making it easier for hackers to gain entry.
Such lapses, the commission said, “unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.”
The trade commission detailed three breaches, all starting with hackers gaining access to one hotel’s computer network in Phoenix in 2008. Once the hackers penetrated an administrator’s account, they installed software that could collect personal information on a Wyndham computer system used by 41 hotels.
The suit faults Wyndham for not rapidly improving its security measures after the first hacking incident. The third breach, which began in late 2009, came to Wyndham’s notice after a credit card company alerted it that account numbers of customers were being used for fraudulent charges shortly after stays at Wyndham hotels.
The FTC is seeking an injunction requiring security improvements by Wyndham and possible financial damages. No trial date has been set.
“We don’t bring cases that we think are close calls.”
Maneesha Mithal, associate director of the FTC’s division of privacy and identity protection