Wyndham Worldwide Corporation, one of the world's largest hospital industry holding companies, is the latest object of a Federal Trade Commission (FTC) consumer data protection probe. Government officials officially filed complaint against the organization this week, holding the organization responsible for the mismanagement of customer credit card numbers and the millions of dollars in fraudulent charges that ensued.
Three breaches in two years
The FTC lawsuit follows several years of serious data security incidents and questionable resolution tactics from Wyndham. According to the official complaint, the first large-scale breach occurred in April 2009 as hackers circumvented computer network defenses at one of the company's Phoenix-area hotels.
Once inside the systems, the illicit programmers installed "memory-scraping" malware on several servers that ultimately allowed them to discover a database of customer credit card numbers that stored in plain text format. Leaving this sensitive information unencrypted was later deemed to be Wyndham's first mistake.
Anxieties were exponentially escalated when it was learned that the hackers had not only gained access to more than 500,000 customer accounts, but exported the financial data to a website domain registered in Russia.
In the FTC complaint, the company was taken to task for not responding to this serious incident more sincerely.
"Wyndham still failed to remedy known security vulnerabilities, failed to employ reasonable measures to detect unauthorized access and failed to follow proper incident response procedures," officials stated. "As a result, Wyndham's security was breached two more times in less than two years."
In March of 2009, hackers used a similar brand of memory-scraping malware to access an additional 50,000 customer credit card numbers from 39 separate hotels to rack up millions of dollars in fraudulent charges. Later that year, cybercriminals struck again in a third incident that saw 69,000 consumer payment card accounts stripped from the servers of 28 different hotels.
Responding to disaster
Despite the long list of allegations leveled against it, Wyndham seems determined to clear its name.
"We regret the FTC's recent decision to pursue litigation, as we have fully cooperated in its investigation and believe its claims are without merit," company spokesman Michael Valentino confirmed to InformationWeek via email. "We intend to defend against the FTC's claims vigorously."
Valentino went on to say that the hotel chain fundamentally overhauled its IT practices following the attacks and has not received any indication that hotel customers have incurred financial losses. Customers were promptly notified of potential dangers at the time and offered credit monitoring services as well.
Nevertheless, the FTC lawsuit signals a disturbing trend. Taken alongside separate breaches suffered by Global Payments, LinkedIn and others, the Wyndham incident suggests that larger companies many not be allocating their comparatively superior resources for effective data protection.
"It's unfortunate that the stick of the FTC is required to force the change in mindset and action for some organizations," network security executive Mike Reagan told CIO Today. "But for others, they're recognizing the importance of this strategic imperative and are taking the right steps to increase their visibility and response capabilities to minimize loss and protect their customers and businesses."
Data Security News from SimplySecurity.com by Trend Micro