PHILADELPHIA (CN) – Wyndham Worldwide must face charges of unfair trade practices after lax cybersecurity led to a massive hack of the hotel chain, the Third Circuit ruled.
The parent of Days Inn, Ramada and Travelodge experienced three security breaches beginning in 2008 when hackers guessed the login information of a hotel in Phoenix connected to the company’s network, giving them access to the unencrypted information of 500,000 customers.
In 2009, the hackers installed malware through an administrative account. The hacks ultimately compromised the information of estimated 619,000 customers and caused about $10.6 million in losses.
The Federal Trade Commission filed a federal complaint against Wyndham in Arizona, claiming that it failed to take even standard security steps, such as setting up a firewall, creating sufficiently complex passwords for administrative accounts, keeping vigilant for unauthorized access, and updating the operating systems to which it connected its computers.
Regulators further claimed that Wyndham’s practices were at odds with the security policy it provided to customers that boasted of heightened security, including encryption and a firewall.
Wyndham, which had the FTC case against it transferred to New Jersey, argued that the attack was beyond the FTC’s purview, claiming that the agency could only prosecute instances of “unethical” or “unscrupulous” behavior.
After denying the hotelier’s motion to dismiss, U.S. District Judge Esther Salas certified to the Third Circuit the question of the FTC’s authority to regulate cybersecurity under the unfairness prong of the Federal Trade Commission Act.
Section 45(a) of that statute prohibits “unfair or deceptive acts or practices in or affecting commerce.”
A three-judge panel with the federal appeals affirmed Monday, finding that the agency has broad authority secured by the Supreme Court in 1972 to more or less pursue “unjustified consumer injury.”
The court scoffed at Wyndham’s claim that such an authority would let the FTC sue everyone even supermarkets that leave stray banana peels lying around.
“The argument is alarmist to say the least,” Judge Thomas Ambro wrote for the court. “And it invites the 21 tart retort that, were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability.”
Proving that cybersecurity concerns will remain a priority for regulators, the Third Circuit’s ruling comes on the heels of a massive breach at Ashley Madison, a dating website that catered married men having extramarital affairs.
With the personal information of 37 million users implicated, federal complaints have begun to trickle in California and Canada, where the company’s parent, Avid Life, is based.
- Ninth Circuit Cracks Down on|Routine Shackling in San Diego Federal Court
- LA City Council Approves Uber, Lyft at Airport