Tag Archives: wyndham

Wyndham Hotels Settles Breach Investigation With FTC

The Wyndham Worldwide hotel chain, which has been fighting with the FTC for years after the hotel chain suffered three security breaches in two years exposing credit card data, settled with the FTC this week.

The hotel went as far as to attempt to get the courts to say that the FTC did not have the authority to regulate corporate cyber hygiene.  The court of appeals, in a decision this past summer, disagreed with Wyndham, and said that was within the FTC’s purview.

The FTC had filed suit against Wyndham in the Third Circuit, so to say that this issue was a bit adversarial would be polite.

Apparently Wyndham realized that they were not going to win this battle and settled with the FTC.  They declared victory by saying that they did not have to admit they were guilty or pay a fine.  Note that the FTC usually does not require either of these as a condition to settling.

What Wyndham did agree to is:

  • The FTC will monitor their behavior, cyber security wise, for the next TWENTY years.
  • The company will obtain annual security audits of its information security program that conform with the PCI standards – something that they should have been doing anyway.
  • The audit will certify that Wyndham is treating franchisee networks as untrusted (the fact that they were trusting the franchisee networks apparently facilitated the previous breaches)
  • The audit will also report on whether the hotel chain is compliant with a formal risk assessment process.
  • If the hotel has another breach of more than 10,000 cards, they will obtain an assessment of the breach and hand that assessment over to the FTC.
  • The order says that if Wyndham gets the necessary compliance certifications that they will be in compliance with this agreement.

The order needs to be approved by the judge overseeing this case, which we assume will not be a problem.

It seems to me that this is only a Pyrrhic victory for Wyndham.  While they may declare victory in the press, the FTC got exactly what they wanted and in fact, what they have usually obtained in a much less adversarial manner.  In the meantime, the FTC will be watching over Wyndham’s information security program for the next 20 years and Wyndham probably spent tens of millions on legal costs, which they get to eat.

I do suspect that this may be the last time a company who has been breached attempts to fight the FTC in this manner.

While the FTC recently suffered a setback in their case against LabMD, that case was different because there was no show of harm.  In the Wyndham case, 600,000+ credit cards were compromised at a cost of over $10 million.


Information for this post came from the FTC.

Wyndham vs. FTC – This Round Goes To The FTC

The Wyndham Hotel chain was hacked several times going back as far as 2012.  The FTC came after the hotel chain using Section 5 of the FTC Act, claiming unfair business practices.

Usually what happens in these cases – and there have been a number of them – is that the company and the FTC come to an agreement;  the company signs a consent order and the FTC watches the company closely for the next 10 to 20 years.  That’s right.  That is not a typo.

That is the downside of getting on the radar of the FTC.  20 years is a long time to have a government agency looking at you with a microscope.

Wyndham decided to take a different approach.  They claimed that the FTC Act did not give the FTC authority to regulate cyber security practices.  They went even further to say that the FTC did not provide them a cookbook of how to protect the company, so how can they complain that Wyndham wasn’t doing it right.  Of course, the 600,000+ credit cardholders that got compromised might not agree with this theory.

In fact, in the Bluemaumau article linked to below, hotel industry consultants pretty much give Wyndham an F in security.

Privacy advocates worried that if the courts agreed with Wyndham, the government would have no effective means to encourage companies to protect their customer’s information.

The decision this week is an appeal of a motion that Wyndham made to the District Court to dismiss the case saying that the FTC did not have authority.  On appeal, the Third Circuit Court handed Wyndham their butt:

The court laid out in excruciating detail the allegations against Wyndham: allowing hotels to store payment card information in plaintext, using outrageously easy-to-guess passwords, failing to implement firewalls and other rudimentary data security tools, allowing third parties to connect to the network without authentication, failing to deploy reasonable measures to detect and respond to cyber attacks. This has led to three reported incidents of major data breaches, with personal data for hundreds of thousands of customers whisked over to servers in Russia. The breaches, which resulted in more than $10 million in fraudulent transactions, were only discovered after customers complained to credit card companies about unauthorized charges.

At this point, Wyndham can appeal the decision, enter into a consent agreement with the FTC or go to trial.

I doubt they want to go to trial because if they do, the practices described above with come out publicly in all their glory and I don’t think Wyndham wants that kind of press coverage.

Hopefully, this will settle the issue as to whether the FTC has authority.  If Wyndham decides to appeal then this we will have to wait for that decision.

If Wyndham decides to settle, then we will have to see if the FTC comes down harder on them because they have been fighting them for three years.  Even if everyone agrees to the normal 20 year agreement, that means that the executive team at Wyndham will be reminded for the next 20 years of these three breaches.

This is not a ruling on the merits of the case;  assuming the two parties don’t settle, that will be decided at trial in the District Court in New Jersey.

Given Wyndham has been fighting this for three years, I would be surprised if they want to continue to spend hundreds of thousands of dollars on legal fees, but who knows.

Stay tuned for more details.

For other businesses, this is a notice that they should review what the FTC has considered unfair in the past and make sure that their security practices are not going to run afoul of those FTC concerns.

Information for this post came from IAPP and Bluemaumau and another IAPP article here.