The Federal Trade Commission has filed a lawsuit against Wyndham Worldwide Corporation and three of its subsidiaries, alleging data security failures that resulted in three data breaches at Wyndham hotels within a span of less than two years. The FTC claims that these failures led to fraudulent charges on consumers’ accounts, millions of dollars in fraud losses, and the export of hundreds of thousands of consumers’ payment card account information to an Internet domain address registered in Russia.
This legal action is part of the FTC’s ongoing efforts to ensure companies uphold their promises regarding privacy and data security. According to the complaint, Wyndham’s privacy policy misrepresented the security measures taken to protect consumers’ personal information, resulting in substantial consumer injury. The FTC asserts that these security practices were both unfair and deceptive, violating the FTC Act.
Despite Wyndham and its subsidiaries licensing the Wyndham name to around 90 independently-owned hotels, the FTC claims that the repeated security failures exposed consumers’ personal data to unauthorized access. The defendants allegedly neglected to implement necessary security measures such as complex user IDs and passwords, firewalls, and network segmentation.
The breaches allowed intruders to install “memory-scraping” malware on Wyndham-branded hotels’ property management system servers, gaining access to sensitive payment card information. The compromised security procedures led to over 500,000 payment card accounts being compromised, with hundreds of thousands of payment card account numbers exported to a domain registered in Russia.
The FTC contends that, even after the first breach, Wyndham failed to address known security vulnerabilities, detect unauthorized access, or follow proper incident response procedures. Consequently, Wyndham’s security was breached two more times in less than two years.
The defendants in the case include Wyndham Worldwide Corporation, its subsidiary Wyndham Hotel Group, LLC, Wyndham Hotels and Resorts, LLC, and Wyndham Hotel Management, Inc.
The Commission voted 5-0 to authorize staff to file the complaint, with Commissioner J. Thomas Rosch concurring in the filing but dissenting from including Count II. The complaint was filed in the U.S. District Court for the District of Arizona.
It’s important to note that the filing of the complaint by the Commission indicates a belief that the law has been or is being violated, and it is not a finding or ruling that the defendants have actually violated the law. The FTC’s role is to work for consumers, preventing fraudulent, deceptive, and unfair business practices, and providing information to help consumers spot, stop, and avoid such practices.