PHOENIX (CN) – Wyndham Worldwide, one of the world’s largest hotel companies, let Russian hackers into its Phoenix data center, costing “hundreds of thousands of consumers” more than $10.6 million in fraudulent bills, the FTC claims in Federal Court.
The Federal Trade Commission claims that Wyndham Worldwide and its subsidiaries – Wyndham Hotel Group, Wyndham Hotels and Resorts, and Wyndham Hotel Management – failure to “maintain reasonable security allowed intruders to obtain unauthorized access to the computer networks of Wyndham Hotels and Resorts LLC, and several hotels franchised and managed by defendants on three separate occasions in less than two years.”
From April 2008 through January 2010, Wyndham “failed to use readily available security measures to limit access between and among the Wyndham-branded hotels’ property management systems, the Hotels and Resorts’ corporate network, and the Internet, such as by employing firewalls;” “allowed software at the Wyndham-branded hotels to be configured inappropriately, resulting in the storage of payment card information in clear readable text;” and “permitted Wyndham-branded hotels to connect insecure servers to the Hotels and Resorts’ network, including servers using outdated operating systems that could not receive security updates or patches to address known security vulnerabilities,” according to the FTC complaint.
The FTC claims that Wyndham “did not require the use of complex passwords for access to the Wyndham-branded hotels’ property management systems and allowed the use of easily guessed passwords. For example, to allow remote access to a hotel’s property management system, which was developed by software developer Micros Systems Inc., defendants used the phrase ‘micros’ as both the user ID and the password.”
Because of Wyndham’s security failures, intruders gained unauthorized access using “similar techniques on each occasion to access personal information stored on the Wyndham-branded hotels’ property management system servers, including customers’ payment card account numbers, expiration dates, and security codes,” the complaint states.
Wyndham’s security failures “led to fraudulent charges on consumers’ accounts, more than $10.6 million in fraud loss, and the export of hundreds of thousands of consumers’ payment card account information to a domain registered in Russia,” the FTC says.
The hotel chain learned of the security breaches after customers complained of fraudulent charges on their credit cards after booking stays at Wyndham hotels.
More than 619,000 credit card numbers were compromised during the security breach, the complaint states.
The FTC seeks a permanent injunction to prevent further violations of the Federal Trade Commission Act, “rescission or reformation of contracts, restitution, the refund of monies paid, and the disgorgement of ill-gotten monies.”