Re: [Dataloss] FTC sues Wyndham hotels over data breaches

["B.K. DeLong" <bkdelong () pobox com>]

Really? Three separate incidents? What of their PCI Compliance for each of
these years? Some of the violations sound like basic breaches of the
PCI-DSS.

Did the Council and/or their processor take action to ensure complete
compliance after the first breach and prior to the second or were
compensating controls accepted as enough mitigation. I wonder what Wyndham
corporate clients think about this seeing as plenty of business events are
hosted at their venues.

When even this baseline level of security is not properly implemented,
three breaches in a row does make you wonder.
On Jun 26, 2012 5:22 PM, "Jake Kouns" <jkouns () opensecurityfoundation org>
wrote:

> http://news.cnet.com/8301-1009_3-57460551-83/ftc-sues-wyndham-hotels-over-data-breaches/
>
> Hackers stole information from hundreds of thousands of payment cards,
> resulting, the trade commission says, in millions of dollars in fraud
> loss.
>
> The U.S. Federal Trade Commission has filed a lawsuit against hotel
> chain Wyndham Worldwide and three subsidiaries for allegedly storing
> data in plain text and other security failures that enabled hackers to
> access more than 600,000 payment card accounts in three data breaches
> in less than two years.
>
> The hackers exported the payment card account data to an Internet
> domain address registered in Russia, according to the FTC lawsuit
> (PDF). They then used the data stolen from Wyndham's data center in
> Phoenix to make transactions, resulting in fraud losses of more than
> $10.6 million, the suit says.
>
> The FTC suit alleges that Wyndham's privacy policy misrepresented the
> security measures the company and its subsidiaries took to protect
> customer personal information. In addition to storing card data in
> plain text, the hotel chain failed to: use firewalls; remedy known
> security vulnerabilities; update and patch software; change default
> user IDs and passwords on servers; and require strong user passwords,
> the FTC alleges.
>
> The company's privacy policy on its Web site states, "We recognize the
> importance of protecting the privacy of individual-specific
> (personally identifiable) information collected about guests, callers
> to our central reservation centers, visitors to our Web sites, and
> members participating in our Loyalty Program (collectively,
> "Customers")...." the suit notes. The security practices were unfair
> and deceptive and violated the FTC Act, the suit alleges.
>
> Wyndham had cooperated with the FTC and offered customers credit
> monitoring services after the breaches, said spokesman Michael
> Valentino. "To date, we have not received any indication that any
> hotel customer experienced a financial loss as a result of these
> attacks," he said in a statement provided to CNET. "Since these
> events, we have made significant enhancements to our information
> security, and have assisted franchised and managed Wyndham Hotels and
> Resorts-brand hotels in enhancing their information security.
>
> "We regret the FTC's recent decision to pursue litigation, as we have
> fully cooperated in its investigation and believe its claims are
> without merit. We intend to defend against the FTC's claims
> vigorously, and do not believe the outcome of this litigation will
> have a material adverse effect on our company," the statement said.
> "In a time when cyberattacks on private and public institutions are on
> the rise globally, safeguarding customer information remains a top
> priority at Wyndham Worldwide. Unfortunately, as this matter is now
> the subject of pending litigation, it would be inappropriate for us to
> provide further comment at this time."
>
> In the first breach, hackers were able to get into the network of a
> local Wyndham hotel in Phoenix in April 2008, and from there into the
> property management system servers of other hotels, and they used
> "memory-scraping" malware to steal data, according to the FTC suit
> filed in federal district court in Arizona.
>
> In March 2009, hackers gained access to Wyndham systems via a service
> provider's administrator account in the Wyndham data center in Phoenix
> and had access to the network for about two months, the lawsuit says.
> The hackers used the malware to get the data and reconfigured software
> to cause the hotel computer systems to create clear text files
> containing the payment card account numbers of customers, according to
> the suit.
>
> In the third breach, hackers compromised an administrator account in
> late 2009 and, again, the hotel learned about the intrusion from a
> credit card issuer in January 2010, the lawsuit says.
> Tons of companies have data breaches, but not many generate a lawsuit
> from the government. Earlier this year, credit card processor Global
> Payments said as many as 1.5 million credit card accounts were
> compromised. And a few weeks ago, LinkedIn, eHarmony, and Last.fm
> confirmed that user passwords -- potentially as many as 8 million --
> were stolen and ended up posted to a hacker forum.
>
> An attorney specializing in high-tech law questioned the FTC's
> authority to enforce minimum security practices at companies and noted
> that the consumer privacy language on Wyndham's Web site that the FTC
> says is deceptive and unfair is actually standard across the Internet.
> "The FTC has decided not only that there are minimal standards for
> security, but that they are the policing agent for that, all without
> Congressional approval," said Eric Goldman, assistant law professor at
> Santa Clara University School of Law.
> _______________________________________________
> Dataloss Mailing List (dataloss () datalossdb org)
> Archived at http://seclists.org/dataloss/
> Unsubscribe at http://datalossdb.org/mailing_list
>
> Supporters:
>
> Risk Based Security (http://www.riskbasedsecurity.com/)
> Risk Based Security equips organizations with security intelligence, risk
> management services and on-demand security solutions to establish
> customized risk-based programs to address information security and
> compliance challenges.
>
> Tenable Network Security (http://www.tenable.com/)
> Tenable Network Security provides a suite of solutions which unify
> real-time
> vulnerability, event and compliance monitoring into a single, role-based,
> interface
> for administrators, auditors and risk managers to evaluate, communicate and
> report needed information for effective decision making and systems
> management.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.