Wyndham Hotels’ Hacker Case Transferred

     (CN) – The Federal Trade Commission may transfer to New Jersey claims that Wyndham Worldwide Hotels let Russian hackers into its Phoenix data center, costing “hundreds of thousands of consumers” more than $10.6 million in fraudulent bills, a federal judge ruled.
     The FTC sued Wyndham Worldwide and its subsidiaries in Phoenix Federal Court in June 2012.
     It amended the complaint on Aug. 9, claiming that “defendants’ failure to maintain reasonable security allowed intruders to obtain unauthorized access to the computer networks of Wyndham Hotels and Resorts, LLC, and several hotels franchised and managed by defendants on three separate occasions in less than two years.”
     The FTC claimed that Wyndham failed to use firewalls or complex passwords, stored credit card information in clear readable text, and let hotels connect insecure outdated servers to its network from April 2008 through January 2010, which “led to fraudulent charges on consumers’ accounts, more than $10.6 million in fraud loss, and the export of hundreds of thousands of consumers’ payment card account information to a domain registered in Russia.”
     Wyndham learned of the security breaches after customers complained of fraudulent charges on their credit cards. More than 619,000 credit card numbers were compromised, the FTC said.
     The FTC’s amended complaint accuses the hotel chain of unfair and deceptive advertising: claiming that it used industry-standard security to protect guests’ personal information.
     Wyndham asked to transfer the case to the District of New Jersey or the District of Columbia. The FTC opposed the transfer.
     U.S. District Judge Paul Rosenblatt granted Wyndham’s request on March 25, agreeing with its claim that the “vast majority” of people with knowledge of Wyndham’s data security practices work at company headquarters in Parsippany, N.J., whereas only one current and one former employee reside in Arizona.
     “The court agrees with defendants that the potential testimony of the Arizona witnesses is not as significant as that of the New Jersey witnesses,” Rosenblatt wrote. “Stevens and Rowland [the potential witnesses who live outside New Jersey] reported to senior-level employees in New Jersey. The fact they are custodians of records produced during the FTC investigation does not mean that they are key witnesses with respect to the deception and unfairness counts against defendants.”
     Though the FTC claimed that six witnesses live in Arizona, including two Fishnet Security consultants who examined the cyber attacks, the judge sided with Wyndham, which named 11 witnesses who live in New Jersey.
     “Defendants argue that transfer is appropriate because the parties are located in New Jersey and Washington, most of the witnesses reside in or near New Jersey, and defendants’ ‘data-security program – which is the core conduct relevant in this case – was principally devised, implemented, and managed in New Jersey,'” Rosenblatt wrote. “Defendants also assert that the FTC never visited Arizona in the course of its investigation of the case.
     “The FTC argues that the operative facts of the case occurred in Phoenix and that a number of key witnesses reside in Arizona. It also contends that its choice of venue is entitled to deference. The court finds defendants’ arguments more persuasive.”
     Ease of access to sources of proof, relative financial burden, and costs of litigation also favored transfer to New Jersey, the judge said.
     He denied Wyndham’s motion to dismiss and requests from the International Franchise Association and the U.S. Chamber of Commerce’s to file amicus curiae briefs, but said they may refile in New Jersey.
     Defendants include Wyndham Hotel Group, Wyndham Hotels and Resorts, and Wyndham Hotel Management.

%d bloggers like this: