Wyndham Not Winning in the Game to Protect Customer Data?

It’s no secret that there are many credit card scams, especially when you are travelling and that you have to keep your credit card close by and watch who and when you provide it to anything from restaurants to resorts.  It’s also important to carefully review your charges, both on your room and when you return from travel, to make sure that you haven’t been “charged” with credit card fraud.  But most people would hope that our credit card information would be safe, especially from some of the biggest and so called best hotels and resort companies in the world.  But recently the FTC has filed suit against Wyndham Worldwide, owner of hotels such as Ramada Days Inn, Travelodge, Super 8 and Howard Johnson and resorts around the world as well as time share/vacation ownership participating providers.

This week ,the FTC filed a lawsuit against Wyndham Worldwide as a result of breaches in their security systems that led to hundreds of thousands of customers credit card information being released or stolen by an Internet domain located in Russia. However, that is not the only problem that the FTC has allegedly discovered.  The complaint also alleges that Wyndham has not taken appropriate security measures, making theft and fraud that much easier. (See the entire complaint)  Last, but not least, Wyndham is accused of further creating problems for their customers by not being truthful about their security measures and misrepresented the company security policy.

It is alleged that security measures were lax including the lack of complex user names and passwords, firewalls, network segmentation and that credit card numbers were stored in plain text.

This is not a new charge against Wyndham.  Apparently they were warned and asked to correct these lapses in security measures in 2008 when “memory scraping” software we able to steal thousands of credit card numbers. Two more breaches occurred in 2009 where approximately 119,000 customer accounts were again “scraped” and fraudulent charges were made.  Now it is estimated that more than 600,000 accounts have been compromised resulting in $10.6 million in fraudulent charges.

The FTC has asked the U.S. District Court for the District of Arizona to order Wyndham to stop deceiving customers about its information security practices, to increase its security practices and to refund lost money to customers.

Wyndham denies the allegations and states that it even cooperated fully in the investigation,  and called the allegations in the lawsuit “without merit.”  In a statement to the BBC they said,  “To date, we have not received any indication that any hotel customer experienced a financial loss as a result of these attacks. Since these events, we have made significant enhancements to our information security, and have assisted franchised and managed Wyndham Hotels and Resorts-brand hotels in enhancing their information security.”

A company statement added: “We intend to defend against the FTC’s claims vigorously, and do not believe the outcome of this litigation will have a material adverse effect on our company.”  Maneesha Mithal, associate director of the FTC’s division of privacy and identity protection, said the security failings were “obvious.” She added: “We don’t bring cases that we think are close calls.”