follow-up: Learning from Wyndham's Data Breach

[security curmudgeon <jericho () attrition org>]

---------- Forwarded message ----------
From: InfoSec News <alerts () infosecnews org>

http://www.csdecisions.com/2012/09/25/learning-from-wyndhams-data-breach/

By Erin Rigik
Associate Editor
csdecisions.com
Sep 25, 2012

In today's high tech world, no one is immune to a breach.

This June, The Federal Trade Commission (FTC) sued hotel dynasty Wyndham 
Worldwide Corp., after the company suffered multiple security breaches. 
Allegedly, customer credit card numbers and personal information were 
stolen from the company three times in less than two years.

The hotel behemoth is an international giant operating resorts and hotels 
under the Wyndham, Ramada, Super 8, Days Inn and Howard Johnson brands, 
among others. The amount of credit card data that passes through the 
company's accounting system each month is staggering.

However, the FTC pointed the finger at Wyndham?s negligence in relation to 
security policies at the company's Phoenix data center?where the company 
stores and transfers data between its headquarters and its individual 
business units. As a result, Russian hackers managed to infiltrate its 
system and install phishing software on a myriad of Wyndham servers, 
gaining access to more than 500,000 customer accounts on three separate 
occasions between 2008 and 2010. Hackers then rang up more than $10.6 
million in fraudulent credit card transactions, according to the suit 
filed in the U.S. District Court of Arizona.

But more troubling was that even after the company learned of the breach, 
it failed to take action to prevent it from happening again, according to 
the FTC's complaint, and as a result, the hackers were able to gain access 
on, not one, but two additional occasions. If Wyndham had added more 
complex user IDs and passwords, and made changes to software that was 
storing customer credit card data as unencrypted text, the company may 
have nipped the damage in the bud.

[...]

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.