Skip to main content

FTC charges hotel chain with allowing hackers to compromise over 500,000 payment accounts

FTC charges hotel chain with allowing hackers to compromise over 500,000 payment accounts

/

The FTC has filed suit against Wyndham hotel chain, alleging that the company misrepresented its security practices and did little to prevent the theft of 500,000 payment card accounts leading to $10.6 million in fraudulent charges.

Share this story

The US Federal Trade Commission has filed suit against Wyndham Worldwide Corporation, claiming its poor security measures allowed hackers to access hundreds of thousands of customer credit card numbers. The chain of hotels allegedly misrepresented its security measures and did not require things like complex passwords or adequate separation between the hotel and corporate networks. Over the course of two years, the FTC says Wyndham's networks were breached three times, and hackers were able to make off with over 500,000 payment card accounts, which were then sent to a domain registered in Russia. $10.6 million worth of fraudulent charges were then allegedly made on the cards.

In all three cases, hackers compromised a data center in Phoenix, Arizona, either through an administrator account or a local hotel network. Once in, they apparently were able to find credit card information in "clear readable text." The FTC's filing does not include suggested damages, but a recent suit with RockYou (in which 32 million accounts were compromised but no credit card theft or fraudulent charges were alleged) was settled for $250,000. Wyndham acknowledges the hacks but says it was "unaware of any customers losing money because of the breach."