The Federal Trade Commission said Tuesday that it has filed a lawsuit against the hotel chain Wyndham Worldwide Corp., claiming inadequate security measures at the company and three of its subsidiaries led to three data breaches in less than two years.
In a complaint filed in U.S. district court in Arizona, the commission claimed that Wyndham's failure to secure customer data led to fraudulent charges on consumer accounts, costing millions of dollars and the transfer of hundreds of thousands of credit card numbers to hackers most likely based in Russia.
The FTC said the failure to properly secure customer data contradicted Wyndham's own privacy policies and violated the FTC Act's prohibition against unfair and deceptive practices.
The FTC alleges that Wyndham, which operates 7,200 hotels worldwide, failed to use proper security measures to protect customer data such as complex user IDs and passwords and firewalls.
The commission said that in the first security breach in April 2008, hackers accessed the local computer network of a Wyndham hotel in Phoenix. The intrusion allowed the hackers to gain access to the Wyndham Hotels and Resorts corporate network and install malware and access files containing payment account information. As a result, hackers gained access to more than a half-million payment card accounts and exported payment data to a website registered in Russia.
Despite this, the FTC said Wyndham and its subsidiaries failed to fix the security problems and as a result the hotel chain was hit with two more breaches in 2009 using similar techniques employed the first time.
"Defendants' failure to implement reasonable and appropriate security measures exposed consumers' personal information to unauthorized access, collection, and use," according to the complaint. "Such exposure of consumers' personal information has caused and is likely to cause substantial consumer injury, including financial injury, to consumers and businesses."
The commission urged the court to order Wyndham to stop engaging in the activities outlined in the lawsuit and award relief to those injured by the company's failure secure sensitive data.
Wyndham did not respond to a request for comment on the lawsuit.
The incident is just one of many reported in recent years involving major corporations and has prompted calls for Congress to require companies to do more to prevent and respond to security breaches. Several bills have been introduced in Congress but so far lawmakers have yet to move any legislation beyond the committee level.