Last month the FTC (Federal Trade Commission) filed suit against Wyndham Worldwide due to failures to maintain reasonable security standards and protections that lead to three separate security breaches and the theft of over 600,000 different individuals’ credit card numbers and reported 10.6 million in fraudulent charges over the last two years.
The first attack occurred in April 2008 and the hackers had gained access through a Phoenix, AZ branch. After gaining access to the local servers, the intruders were able to gain access to the Wyndham corporate network that lead to the theft of over 500,000 credit cards. The initial breach was contributed to make use of standard security procedures such as firewalls, complex user ID’s and passwords, and branch and corporate networks. The FTC further alleges that sensitive data like Credit Card numbers, expirations, and security codes were stored in plain text.
After the initial breach the FTC alleges that Wyndham had neglected to fix known security vulnerabilities, failed to implement unauthorized access detection methods, and incident response methods. This possibly led to two more security breaches in 2009, the first in March and then again later that year. The first attack in 2009 lead to over 50,000 consumer card accounts being compromised, and the later attack lead to over 69,000.