Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Learning from Wyndham's Data Breach

From: InfoSec News <alerts () infosecnews org>
Date: Wed, 26 Sep 2012 04:41:37 -0500 (CDT)
http://www.csdecisions.com/2012/09/25/learning-from-wyndhams-data-breach/

By Erin Rigik
Associate Editor
csdecisions.com
Sep 25, 2012

In today’s high tech world, no one is immune to a breach.
This June, The Federal Trade Commission (FTC) sued hotel dynasty Wyndham Worldwide Corp., after the company suffered multiple security breaches. Allegedly, customer credit card numbers and personal information were stolen from the company three times in less than two years.
The hotel behemoth is an international giant operating resorts and hotels under the Wyndham, Ramada, Super 8, Days Inn and Howard Johnson brands, among others. The amount of credit card data that passes through the company’s accounting system each month is staggering.
However, the FTC pointed the finger at Wyndham’s negligence in relation to security policies at the company’s Phoenix data center—where the company stores and transfers data between its headquarters and its individual business units. As a result, Russian hackers managed to infiltrate its system and install phishing software on a myriad of Wyndham servers, gaining access to more than 500,000 customer accounts on three separate occasions between 2008 and 2010. Hackers then rang up more than $10.6 million in fraudulent credit card transactions, according to the suit filed in the U.S. District Court of Arizona.
But more troubling was that even after the company learned of the breach, it failed to take action to prevent it from happening again, according to the FTC’s complaint, and as a result, the hackers were able to gain access on, not one, but two additional occasions. If Wyndham had added more complex user IDs and passwords, and made changes to software that was storing customer credit card data as unencrypted text, the company may have nipped the damage in the bud. 

[...]


--
ExpandingSecurity.com Live OnLine classes won&#8217;t wreck your schedule.
Get that cert and be done before 2012 ends. Last ISSAP 2012 class starts
Sept. 25th. Last 2012 CISSP and CEH starts Oct. 1:
CEH info signup: http://www.expandingsecurity.com/product/ceh-certified-ethical-hacker-online/
CISSP info signup: http://www.expandingsecurity.com/product/cissp-live-online-10-week-course/
ISSAP info signup: 
http://www.expandingsecurity.com/product/issap-information-systems-security-architecture-professional/
Previous By Date Next
Previous By Thread Next

Current thread: