Between 2008 and 2009, Wyndham Hotels and Resorts was successfully hacked three times. Rather than the scenario resembling an arms race however, with increasingly proficient hackers up against Wyndham’s increasingly elaborate cyber security, the hackers used similar methods in all three data breaches.
Wyndham allegedly failed to take appropriate action after each successive breach and over 619,000 Wyndham customers had their payment card information exposed.
A data breach is often embarrassing for the company, but the way the company handles the aftermath is crucial in determining culpability. In this case, Wyndham was taken to court by the Federal Trade Commission (FTC) for failing to address the weaknesses in its cyber security system that the hackers had exploited not once or twice, but three times.
Specifically, the Complaint filed by the FTC alleged that Wyndham stored payment information unencrypted, had “easily guessable” property management system passwords, didn’t use basic security measures like firewalls to limit information distribution between the various networks, and a host of other cyber security lapses.
Wyndham eventually settled the case with the FTC by agreeing to establish a comprehensive information security program for consumer information, subject to yearly audits to make sure the system complies with the Payment Card Industry Data Security Standard. Wyndham must also report any further data breaches affecting more than 10,000 individual card numbers to the FCC within ten days. These obligations would remain in place for 20 years.
Federal Trade Commission v. Wyndham Worldwide Corp helped set some standards for securing a consumer’s information, along with providing valuable insight into the correct procedure for a company following a security breach. In addition, it established the authority of the FTC to litigate such matters under Section 5 of the FTC Act.