On June 26, 2012, the Federal Trade Commission (“FTC”) filed a complaint in federal district court in Arizona against Wyndham Worldwide Corporation and three subsidiaries (“Wyndham”) alleging that the company’s failure to adequately safeguard customers’ personal information led to millions of dollars in losses to fraud.
The FTC complaint alleges that repeated security failures exposed customers’ personal data to unauthorized access which resulted in the export of payment card account information and fraudulent charges on consumers’ accounts. The complaint further alleges that Wyndham’s privacy policy misrepresented the security measures it used to safeguard personal information, which the FTC claims is an unfair and deceptive practice which violates the FTC Act.
The FTC alleges that a data breach incident which occurred in 2008 at a single hotel’s local computer network enabled intruders to further gain access to the corporate property management system and servers, to install memory-scraping software on the servers and access files that contained payment card information. Some of the security measures the FTC claims that Wyndham failed to employ include: use of complex user IDs and passwords, firewalls and network segmentation between the franchise and corporate-managed hotels and the corporate network. Wyndham also allegedly utilized software configurations on its property management systems which stored of sensitive payment card information in clear, readable text.
The complaint goes on to charge that Wyndham, after the first breach incident, failed to remedy security vulnerabilities, employ reasonable measures to detect unauthorized access and follow proper incident response procedures, actions which the FTC claims resulted in two additional data security breach incidents in less than two years.
Representatives for Wyndham made statements to the press which indicate Wyndham intends to fight the charges.
Federal Trade Commission v. Wyndham Worldwide Corporation et al, U.S. District Court for the District of Arizona, case no. 12-cv-1365.
Written by Gilly Segal, Associate | Alston & Bird LLP