WASHINGTON – The Federal Trade Commission on Tuesday filed suit against Wyndham Hotels, claiming the hotel and timeshare company’s failure to establish standard security measures led to three data breaches at its hotels in less than two years, exposing as many as 670,000 credit cards to hackers.
The FTC alleges these failures led to fraudulent charges on consumers’ accounts, millions of dollars in fraud losses and the export of hundreds of thousands of consumers’ payment card account information to an Internet domain address registered in Russia.
The breaches led to more than $10.6 million in fraud losses, according to the FTC.
The agency alleged that Wyndham failed to use security practices, such as complex user identifications and passwords, firewalls, and network segmentation between the hotels and the corporate network. The company also stored sensitive payment card information in clear, readable text, the FTC said.
The data breaches occurred between 2008 and 2010.
Wyndham said it promptly had notified affected hotel customers of the situation and offered them credit-monitoring services. To date, it said, the company has not received any indication that hotel customers experienced a financial loss as a result of the attacks. Wyndham added that it has bolstered its information security since the attacks.
In its complaint, the FTC charged the company’s security practices were unfair and deceptive and, therefore, violated the FTC Act.
According to the FTC, in the first breach in April 2008, intruders gained access to the local computer network of a Wyndham-branded hotel in Phoenix and the corporate network of Wyndham Hotels and Resorts. The breach led to the compromise of more than 500,000 payment card accounts, the FTC said. Wyndham failed to remedy its security vulnerabilities and was attacked again in March 2009 and late 2009, the agency alleged.