Insurance Programs of America » FTC Files Complaint Against Wyndham Hotel Group over Security Measures after Data Breaches

by IPOA

on July 9, 2012

in Hospitality, Hotels, Industry News, Insurance Products,

0 Comments

Reply Permalink

FTC Files Complaint Against Wyndham Hotel Group over Security Measures after Data Breaches

Wyndham Hotel Group over the last two years has had three digital breaches that affected more than half a million customers. Now it’s been hit with a lawsuit from the Federal Trade Commission (FTC) for allegedly misrepresenting the security measures in place that were supposed to have prevented the hacker intrusions.

On June 26, 2012, the FTC in a press statement claimed that Wyndham “had subjected consumers’ data to an “unfair and deceptive” lack of protection that led to a series of breaches of Wyndham hotels and those of three subsidiaries.” The hotel chain and its franchisees were hit with the first breach in 2008 that compromised 500,000 credit card numbers stored by the firm, followed by attacks that breached another 50,000 and 69,000 accounts at other locations.

According to the FTC, those breaches are a result of Wyndham’s failure to properly use complex passwords, a network setup that didn’t properly separate corporate and hotels systems, and “improper software configurations” that led to sensitive payment card information being stored without encryption. The FTC alleges this lack of protection contrasts with Wyndham’s privacy policy statements that claim to “recognize the importance of protecting the privacy of individual-specific (personally identifiable) information collected about guests, callers to our central reservation centers, visitors to our Web sites, and members participating in our Loyalty Programs,” and promise the use of strong encryption and firewalls.

Wyndham said it has fully cooperated with the FTC regarding the investigation into the previously reported data breaches (2008-2010) and that it has “made prompt efforts to notify the hotel customers whose information may have been compromised, and offered them credit monitoring services.” It also said that it substantially bolstered its security since the three breaches, and that “to date, we have not received any indication that any hotel customer experienced a financial loss as a result of these attacks.”

The hotel group plans to fight the FTC’s suit. “We regret the FTC’s recent decision to pursue litigation, as we have fully cooperated in its investigation and believe its claims are without merit. We intend to defend against the FTC’s claims vigorously, and do not believe the outcome of this litigation will have a material adverse effect on our company,” the company’s statement reads. “In a time when cyber attacks on private and public institutions are on the rise globally, safeguarding customer information remains a top priority at Wyndham Worldwide.”

The data breaches at Wyndham reflect a growing cyber security exposure for the hospitality industry. For example, in 2010 when information security consultancy firm Trustwave performed 1,900 audits and 200 breach investigations, the data showed that while only 3% of the audits were commissioned by the hospitality industry, hotels and resorts were victims in 38% of investigations following successful cybercriminal attacks. Hackers, according to Trustwave, are increasingly targeting specific sectors whose systems they know to be accessible and lucrative – where there is a lot of data, easy ways into the data, and the intrusions can take a very long time to detect. Hospitality is one such sector.

At IPOAUSA, we fully understand the exposures the hospitality industry faces when it comes to cyber security and privacy issues. As a niche wholesaler in this space, we provide agents with access to markets to write hotels and resorts. Back in April we announced an exclusive new Hotel Insurance Program with Lloyd’s for limited and full-service hotels. The program offers Data Breach coverage through Beazley for limited service hotels, which is normally only available to large resorts. This coverage includes breach notification and credit monitoring services with separate coverage limits for third party claims; breach response coverage for forensic and legal assistance, and notification costs; bureau credit monitoring services; crisis management sublimit for public relations and extraordinary notification expense; a separate limit of liability for privacy, network security and media claims; and more. There is a $100,00 PCI restriction.

For more information about our hotel insurance program, and specifically the Data Breach coverage, please call Stefan Burkey at 877.653.IPOA (4762).

« New in Hotel Industry: Measurement Initiative to Deliver Consistency & Standards on Reducing Carbon Footprint

Employment Practices: Sexual Harassment Top HR Issue for Hospitality Industry»