Data breaches are hardly unique in this day, but to see the Federal Trade Commission file suit against a company for suffering a
is. The FTC just filed a lawsuit against hotel operator Wyndham Worldwide -- and three of its subsidiaries -- after the hotels witnessed three
breaches in less than two years.
The FTC alleges that these failures led to fraudulent charges on consumers' accounts, millions of dollars in fraud loss, and the export of hundreds of thousands of consumers' payment card account information to an Internet domain address registered in Russia.
Since 2008 Wyndham has claimed, on its Wyndham Hotels and Resorts subsidiary's Web site, that, "We recognize the importance of protecting the privacy of individual-specific (personally identifiable) information collected about guests, callers to our central reservation centers, visitors to our Web sites, and members participating in our Loyalty Program...."
According to the FTC's complaint, the repeated security failures exposed consumers' personal data to unauthorized access. Wyndham and its subsidiaries failed to take security measures such as complex user IDs and passwords, firewalls and network segmentation between the hotels and the corporate network, the agency alleged. In addition, the defendants allowed improper software configurations which resulted in the storage of sensitive payment card information in clear, readable text.
"At the time of these incidents, we made prompt efforts to notify the hotel customers whose information may have been compromised, and offered them credit monitoring services," Wyndham said in a statement. "To date, we have not received any indication that any hotel experienced a financial loss as a result of these attacks."
The FTC's Stick
Mike Reagan, chief officer at LogRhythm, said a priority for blue-chip organizations and global 2,000 companies is to acknowledge and respond to the new cyber threat reality.
"That is, if hackers want to get in to their networks, they will. One only needs to look at the high profile breaches of 2011 and 2012 to see that the threat landscape has changed dramatically," Reagan told us.
He said the key question for executives at these large organizations was this: When a breach does happen, and we know it will, how prepared are we to detect it and respond rapidly to minimize the damage? If that question were asked behind closed doors at the board level of most of these large organizations, he said, you'd be hearing crickets.
"It's unfortunate that the stick of the FTC is required to force the change in mindset and action for some organizations," Reagan said. "But for others, they're recognizing the importance of this strategic imperative and are taking the right steps to increase their visibility and response capabilities to minimize loss and protect their customers and businesses."