The Federal Trade Commission (FTC) filed a complaint on June 26 against Wyndham Worldwide Corporation and three of its subsidiaries, alleging failure to maintain reasonable and appropriate data security for consumers’ sensitive personal information. The FTC claims that because of this failure, intruders were able to obtain unauthorized access to the Defendants’ computer networks. This led to fraudulent charges on consumers’ accounts, incurring more than $10.6 million in losses, and the exporting of credit card account information to a domain registered in Russia.
Defendants Controlled the Hotels’ Computer Systems
Independent hotels operating under a franchise agreement with Wyndham Hotels had to use a property management system designed by Defendants, which stored consumers’ personal information, including payment information. This system was linked to the Wyndham Hotel corporate network, much of it located at a Phoenix, Arizona data center, operated by Wyndham Hotels. Only Defendants had administrator access to control the property management systems of the independent hotels. Defendants also had direct control over the computer networks of the Wyndham-branded hotels managed by one of the Defendants, Hotel Management.
Wyndham Worldwide was responsible for creating information security policies for itself and for its subsidiaries, and for overseeing subsidiaries’ information security programs.
Defendants have published privacy policies on their websites since at least 2008, claiming that they will safeguard the customers personally identifiable information “by using standard industry practices,” and that it will “take commercially reasonable efforts to create and maintain “fire walls” and other appropriate safeguards” to protect customers’ information.
Inadequate Data Security Practices
However, the FTC claims that Defendants’ data security practices were inadequate, and thus unnecessarily exposed consumers’ personal data to unauthorized access and theft. Defendants’ security failures led to fraudulent charges on consumers’ accounts.
The FTC alleges such shortcoming as storing credit card information in clear readable text, failure to limit access between the different property management systems, or failure to secure the Defendants’ servers. Also, Defendants did not require the use of complex passwords to access the property management systems, and allowed the use of easily guessed passwords.
The FTC claims that these shortcomings allowed intruders to gain unauthorized access into Wyndham Hotels’ computer networks on three separate occasions, using similar techniques in each of the three occurrences. After discovering each of the first two breaches, Defendants failed to take appropriate measures to prevent another breach.
Violations of the FTC Act
The representations made by Defendants’ privacy policies were thus inadequate according to the complaint. The FTC alleges that even though Defendants represented to their customers that they had implemented reasonable and appropriate measures to protect their personal information against unauthorized access, they had not in fact implemented these measures, and thus the representations made to the customers were unfair and deceptive and violated the FTC Act. The FTC also claims that this failure to safeguard consumers’ personal information caused or was likely to cause substantial injury to consumers.