Wyndham case highlights security risks of hotel Internet use

A little over a month after the FBI warned travelers of an uptick in data being stolen via hotel Internet connections, the Federal Trade Commission has filed a complaint against Wyndham Worldwide Corporation and three of its subsidiaries for alleged data security failures that led to three data breaches at Wyndham hotels in less than two years

The FTC says Wyndhams,which owns more than 7,000 hotels, alleged security failures led tofraudulent charges on consumers’ accounts, millions of dollars in fraudloss, and the export of hundreds of thousands of consumers’ paymentcard account information to an Internet domain address registered inRussia. In its complaint, the FTC alleges that Wyndham’s privacy policymisrepresented the security measures that the company and itssubsidiaries took to protect consumers’ personal information, and thatits failure to safeguard personal information caused substantialconsumer injury.

The FBI says travelers should be wary of using Internet services inhotels.

The FTC says the repeated security failures exposed consumers’ personaldata to unauthorized access. Wyndham and its subsidiaries failed totake security measures such as complex user IDs and passwords,firewalls and network segmentation between the hotels and the corporatenetwork. In addition, the defendants allowed improper softwareconfigurations which resulted in the storage of sensitive payment cardinformation in clear readable text, the FTC stated.

According to the FTC, each Wyndham hotel has its own propertymanagement computer system that handles payment card transactions andstores information on such things as payment card account numbers,expiration dates, and security codes. According to the FTC, in thefirst breach in April 2008, intruders gained access to aPhoenixWyndham-branded hotel’s local computer network that was connected tothe Internet and the corporate network of Wyndham Hotels and Resorts.Because of Wyndham’s inadequate security procedures, the breach gavethe intruders access to the corporate network of Wyndham’s Hotels andResorts subsidiary, and the property management system servers of 41Wyndham-branded hotels.

Even after faulty security led to one breach, the FTC charged, Wyndham still failed to remedy known security vulnerabilities; failed to employ reasonable measures to detect unauthorized access; and failed to follow proper incident response procedures. As a result, Wyndham’s security was breached two more times in less than two years.

The breach let scammers:

• Install “memory-scraping” malware on numerous Wyndham-branded hotels’property management system servers.

• Access files on Wyndham-branded hotels’ property management systemservers that contained payment card account information for largenumbers of consumers, which was improperly stored in clear readabletext.

• Ultimately, the breach led to the compromise of more than 500,000payment card accounts, and the export of hundreds of thousands ofconsumers’ payment card account numbers to a domain registered inRussia.

In May, the FBI warned travelers there hadbeen an uptick in malicioussoftware infecting laptops and other devices linked to hotelInternetconnections. The FBI wasn’t specific about any particular hotel chain,nor the software involved but stated: “Recent analysis from the FBI andother government agencies demonstrates that malicious actors aretargeting travelers abroad through pop-up windows while they areestablishing an Internet connection in their hotel rooms.”

The FBI recommended that all government, private industry, and academicpersonnel who travel abroad take extra caution before updating softwareproducts through their hotel Internet connection. Checking the authoror digital certificate of any prompted update to see if it correspondsto the software vendor may reveal an attempted attack. The FBI alsorecommends that travelers perform software updates on laptopsimmediately before traveling, and that they download software updatesdirectly from the software vendor’s website if updates are necessarywhile abroad.”

The FBI said typically travelers attempting to set up a hotel roomInternet connection were presented with a pop-up window notifying theuser to update a widely used software product. If the user clicked toaccept and install the update, malicious software was installed on thelaptop. The pop-up window appeared to be offering a routine update to alegitimate software product for which updates are frequently available.

Follow Michael Cooney onTwitter: nwwlayer8 and on Facebook.

Share on LinkedIn Share with Google+