Wyndham Hotels fined over data breach
Posted on: 06/26/2012 04:00 PM
[
Comments
]
The U.S. Federal Trade Commission has fined Wyndham Hotels for a string of data breaches that resulted in information on hundreds of thousands of customers being lost to cyber criminals.
An FTC complaint, filed on June 26, 2012, asks for "permanent injunctive relief" against Wyndham for failing to maintain what the FTC calls "reasonable security" necessary to keep intruders from compromising the network of the hotel chain. Wyndham's failure to protect its IT network laid the groundwork for a series of three data breaches in which cyber criminals based in Russia stole financial information later used to generate $10.6 million in fraudulent purchases. A Phoenix, Arizona, data center used by Wyndham was the source of the breach, the FTC said.
The complaint describes an epic failure on the part of Wyndham. It alleges that Wyndham Worldwide failed to adequately protect a property management system that was used to manage some 7,000 hotels under the Wyndham Hotels and Resorts under the Days Inn, Ramada and Super 8 brands. Among other things, the Wyndham is alleged to have used default administrative user names and passwords on servers that connected to the Hotels and Resorts network. Also, Wyndham Worldwide stored customer credit card data in plain text, and failed to adequately segregate the property management system from the company's corporate intranet and the public Internet.
The result was a string of security breaches between April 2008 and January 2010 and the theft of customer data.
Beginning in April, 2008, hackers were able to hop scotch from a single Wyndham Hotel's network to the entire Hotels and Resorts network through the company's central property management system. Using a brute force attack, the hackers compromised an administrative account on Hotels and Resorts network. Wyndham, the complaint alleges, failed to notice the intrusion attempt, despite the fact that the hackers guessing resulted in more than 200 administrative accounts getting locked out in the process. Among other things, the company lacked an adequate inventory of its IT assets and was thus failed to correlate the failed login attempts to just two computers in the company's Phoenix data center.
The first attack went undetected for four months, the FTC complaint alleges. In the end, the property management system servers of 41 Wyndham-branded hotels were involved in the breach and payment information on 500,000 accounts was compromised. Much of that information was exported to a server on a domain registered in Russia.
An FTC complaint, filed on June 26, 2012, asks for "permanent injunctive relief" against Wyndham for failing to maintain what the FTC calls "reasonable security" necessary to keep intruders from compromising the network of the hotel chain. Wyndham's failure to protect its IT network laid the groundwork for a series of three data breaches in which cyber criminals based in Russia stole financial information later used to generate $10.6 million in fraudulent purchases. A Phoenix, Arizona, data center used by Wyndham was the source of the breach, the FTC said.
The complaint describes an epic failure on the part of Wyndham. It alleges that Wyndham Worldwide failed to adequately protect a property management system that was used to manage some 7,000 hotels under the Wyndham Hotels and Resorts under the Days Inn, Ramada and Super 8 brands. Among other things, the Wyndham is alleged to have used default administrative user names and passwords on servers that connected to the Hotels and Resorts network. Also, Wyndham Worldwide stored customer credit card data in plain text, and failed to adequately segregate the property management system from the company's corporate intranet and the public Internet.
The result was a string of security breaches between April 2008 and January 2010 and the theft of customer data.
Beginning in April, 2008, hackers were able to hop scotch from a single Wyndham Hotel's network to the entire Hotels and Resorts network through the company's central property management system. Using a brute force attack, the hackers compromised an administrative account on Hotels and Resorts network. Wyndham, the complaint alleges, failed to notice the intrusion attempt, despite the fact that the hackers guessing resulted in more than 200 administrative accounts getting locked out in the process. Among other things, the company lacked an adequate inventory of its IT assets and was thus failed to correlate the failed login attempts to just two computers in the company's Phoenix data center.
The first attack went undetected for four months, the FTC complaint alleges. In the end, the property management system servers of 41 Wyndham-branded hotels were involved in the breach and payment information on 500,000 accounts was compromised. Much of that information was exported to a server on a domain registered in Russia.
Comments
