The Wyndham data breach case: Lessons to be learned in cybersecurity

One year ago we discussed a case involving hackers who had obtained personal information on 619,000 hotel guests of Wyndham Worldwide Corporation [Wyndham][see Are Tourists Safe from Hackers and Negligent Suppliers?, www.eturbonews.com (9/24/2014)]. That case, Federal Trade Commission v. Wyndham Worldwide Corporation, 2014 WL 2812049 (D.N.J. 2014) resulted in a decision finding that the FTC had sufficiently pled claims against Wyndham under the Federal Trade Commission Act for “unfairness” by specifically setting forth data security insufficiencies and “deception” by overstating its privacy policy on its website. Recently, the U.S. Court of Appeals for the Third Circuit affirmed the District Court’s decision.

Travel Law Update

In Corso, Airbnb To Collect Tourism Tax From Paris Visitors, law360.com (8/25/2015) it was noted that “A recent change in French tax policy…has made it easier for home-sharing sites like Airbnb to collect tourism taxes directly, the company says. It told tourists booking rooms in Paris that they could soon expect to see a charge of E0.83 ($0.95) per day added directly to their bill. The company also announced that it has plans to expand the new tax collection procedures throughout other cities in France”.

Airline Seats Antitrust Cases

In Reisinger, Airline Seats Antitrust Case Heads for Takeoff, corpcounsel.com (8/26/2015) it was noted that “More than 75 class action lawsuits have been filed across the country so far against the four major airlines that are the targets of an antitrust investigation by the Department of Justice, which is exploring whether the airlines kept ticket prices high by limiting the number of available seats. A federal judicial panel on multi-district litigation has scheduled an Oct. 1 hearing to consider requests to combine the cases before one federal court”.

Serengeti Highway On Hold
In East Africa court appeal affirms ruling against Serengeti Highway, www.eturbonews.com (8/26/2015) it was noted that “In a recent decision…the Appeals Division of the Arusha-based East African Court of Justice upheld (in part) the ruling of the lower court in regard to a permanent injunction sought by the African Network for Animal Welfare…on behalf of the Tanzanian, East African and global conservation community…With the June 2014 decision now by and large standing, Tanzania will find it next to impossible to build a paved highway across the Serengeti’s most vulnerable migration routes”.

Uber Wi-Fi In India

In Mozur, Uber to Provide Free In-Car Wi-Fi in India, nytimes.com (8/21/2015) it was noted that “In India, a country notorious for city-snarling traffic jams, Uber is hoping free in-car Wi-Fi will lure customers who don’t want long transit times to take them offline…The company said in a news release that Bharti Airtel would operate the Wi-Fi through its new fourth-generation network in all 18 cities, including Mumbai, Delhi and Bangalore, where Uber operates. As part of the deal, Uber is also offering discounted cellphone plans for drivers and accepting payments using Airtel’s mobile payment platform”.

The Wyndham Case

In Federal Trade Commission v. Wyndham Worldwide Corp., No. 14-3514 (3rd Cir. 2015) the Court of Appeals held “The Federal Trade Commission Act prohibits ‘unfair or deceptive acts or practices in or affecting commerce’. 15 U.S.C. 45(a). In 2005 the (FTC) began bringing administrative actions under this provision against companies with allegedly deficient cybersecurity that failed to protect consumer data against hackers. The vast majority of these cases have ended in settlement”.

The Security Breaches

“On three occasions in 2008 and 2009 hackers successfully accessed (Wyndham’s) computer systems. In total, they stole personal and financial information for hundreds of thousands of consumers leading to over $10.6 million dollars in fraudulent charges. The FTC filed suit in federal District Court, alleging that Wyndham’s conduct was an unfair practice and that its privacy policy was deceptive. The District Court denied Wyndham’s motion to dismiss, and we granted interlocutory appeal on two issues: whether the FTC has authority to regulate cybersecurity under the unfairness prong of Section 45(a); and if so whether Wyndham had fair notice its specific cybersecurity practices could fall short of that provision. We affirm the District Court”.

Wyndham’s Cybersecurity

“(Wyndham) is a hospitality company that franchises and manages hotels and sells timeshares through three subsidiaries. Wyndham licensed its brand name to approximately 90 independently owned hotels. Each Wyndham-branded hotel has a property management system that processes consumer information that includes names, home addresses, email addresses, telephone numbers, payment card account numbers, expiration dates and security codes. Wyndham ‘manage[s]’ these systems and requires the hotels to ‘purchase and configure’ them to its own specifications…It also operates a computer network in Phoenix, Arizona, that connects its data center with the property management systems of each of the Wyndham-branded hotels”.

The FTC Allegations

“The FTC alleges that, at least since April 2008, Wyndham engaged in unfair cybersecurity practices that ‘taken together, unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft’…This claim is fleshed out as follows:”

Clear Readable Text

“1. The company allowed Wyndham-branded hotels to store payment card information in clear readable text”.

Easily Guessed Passwords

“2. Wyndham allowed the use of easily guessed passwords to access the property management systems. For example, to gain ‘remote access to at least one hotel’s system’ which was developed by Micros Systems, Inc., the user ID and password were both ‘micros’”.

Absence Of Firewalls

“3. Wyndham failed to use ‘readily available security measures’-such as firewalls-to ‘limit access between [the] hotels’ property management systems,…corporate network and the Internet’”.

Inadequate Policies-Out Of Date Systems

“4. Wyndham allowed hotel property management systems to connect to its network without taking appropriate cybersecurity precautions. It did not ensure that the hotels implemented ‘adequate information security policies and procedures’…Also, it knowingly allowed at least one hotel to connect to the Wyndham network with an out-of-date operating system that had not received a security update in over three years. It allowed hotel servers to connect to Wyndham’s network even though ‘default user IDs and passwords were enabled…which were easily available to hackers through simple Internet searches’. And, because it failed to maintain an ‘adequate[] inventory [of] computers connected to [Wyndham’s] network [to] manage the devices’, it was unable to identify the source of at least one of the cybersecurity attacks”.

Failure To Restrict Access

“5. Wyndham failed to ‘adequately restrict’ the access of third-party vendors to its network and the servers of Wyndham-branded hotels. For example, it did not ‘restrict[] connections to specified IP addresses or grant[] temporary, limited access, as necessary’”.

Failure To Conduct Security Investigations

“6. It failed to employ ‘reasonable measures to detect and prevent unauthorized access’ to its computer network or to ‘conduct security investigations’”.

Improper Incident Response Procedures

“7. It did not follow ‘proper incident response procedures’…The hackers used similar methods in each attack, and yet Wyndham failed to monitor its network for malware used in the previous intrusions”.

Overstated Privacy Policy

“Although not before us on appeal, the complaint also raises a deception claim, alleging that since 2008 Wyndham has published a privacy policy on its website that overstates the company’s cybersecurity. ‘We safeguard our Customers’ personally identifiable information by using industry standard practices. Although ‘guaranteed’ security’ does not exist either on or off the Internet, we make commercially reasonable efforts to make our collection of such [i]nformation consistent with all applicable laws and regulations. Currently, our Web sites utilize a variety of different security measures designed to protect personally identifiable information from unauthorized access by users both inside and outside of our company, including the use of 128-bit encryption based on a Class 3 Digital Certificate issued by Verisign Inc. This allows for utilization of Secure Sockets Layer, which is a method for encrypting data. This protects confidential information-such as credit card numbers, online forms, and financial data-from loss, misuse, interception and hacking. We take commercially reasonable efforts to create and maintain ‘fire walls’ and other appropriate safeguards…’ “The FTC alleges that, contrary to this policy, Wyndham did not use encryption, firewalls and other commercially reasonable methods for protecting consumer data”.

First Cybersecurity Attack

“As noted, on three occasions in 2008 and 2009 hackers accessed Wyndham’s network and the property management systems of Wyndham-branded hotels. In April 2008, hackers first broke into the local network of a hotel in Phoenix, Arizona, which was connected to Wyndham’s network and the Internet. They then used the brute-force method-repeatedly guessing users’ login ID and passwords-to access an administrator account on Wyndham’s network. This enabled them to obtain other consumer data on computers throughout the network. In total, the hackers obtained unencrypted information for over 500,000 accounts, which they sent to domain in Russia”.

Second Cybersecurity Attack

“In March 2009, hackers attacked again, this time by accessing Wyndham’s network through an administrative account. The FTC claims that Wyndham was unaware of the attack for two months until consumers filed complaints about fraudulent charges. Wyndham then discovered ‘memory-scraping malware’ used in the previous attack on more than thirty hotels’ computer system…The FTC asserts that, due to Wyndham’s ‘failure to monitor [the network] for the malware used in the previous attack, hackers had unauthorized access to [its] network for approximately two months’. In this second attack, the hackers obtained unencrypted payment card information for approximately 50,000 consumers from the property management systems of 39 hotels”.

Third Cybersecurity Attack

“Hackers in late 2009 breached Wyndham’s cybersecurity a third time by accessing an administrator account of one of its networks. Because Wyndham ‘had still not adequately limited access between…the Wyndham-branded hotels’ property management systems, [Wyndham’s network] and the Internet’, the hackers had access to the property management servers of multiple hotels…
Wyndham only learned of the intrusion in January 2010 when a credit card company received complaints from cardholders. In this third attack, hackers obtained payment card information for approximately 69,000 customers from the property management systems at 28 hotels”.

The Damages Done

“The FTC alleges that, in total, the hackers obtained payment card information from over 619,000 consumers, which (as noted) resulted in at least $10.6 million in fraud loss. It further states that consumers suffered financial injury through ‘unreimbursed fraudulent charges, increased costs, and lost access to funds or credit…and that they ‘expended time and money resolving fraudulent charges and mitigating subsequent harm’”.

Conclusion

All travel suppliers and resellers should take careful note of Wyndham’s alleged failure to adequately protect its guests’ personal information from hackers.

The author, Justice Dickerson, has been writing about Travel Law for 39 years including his annually updated law books, Travel Law, Law Journal Press (2015) and Litigating International Torts in U.S. Courts, Thomson Reuters WestLaw (2015), and over 350 legal articles. For additional travel law news and developments, especially in the member states of the EU, see IFTTA.org.

This article may not be reproduced without the permission of Thomas A. Dickerson.