FTC Files Complaint Against Wyndham For Hotel Data Breaches

coondoggie writes "A little over a month after the FBI warned travelers of an uptick in data being stolen via hotel Internet connections, the Federal Trade Commission has filed a complaint against Wyndham Worldwide Corporation and three of its subsidiaries for alleged data security failures that led to three data breaches at Wyndham hotels in less than two years."

So fine them money they already didn't spend?

[gelfling]

I suppose morally or ethically this is needed but the idea that they should be fined money they already either didn't have or didn't want to spend in order to remediate this seems short sighted. Maybe a Wall Of Shame that requires them to post signs everywhere and on their websites, that Wyndam is REALLY bad and indifferent to security and they have and will probably again lose your data is what's needed.

Re:So fine them money they already didn't spend?

[drinkypoo]

If they didn't want to be fined money they didn't have, they shouldn't have done something they couldn't afford to do without exposing their customers to risk.

Re:So fine them money they already didn't spend?

[Stan92057]

Its called punishment. Its a business so taking its money is one of the things that can be done. I personally think the CEO should be jailed or whoever signed off on not securing the network

Re:So fine them money they already didn't spend?

[justdiver]

Regardless of whether they a). didn't have the money to properly secure their networks or b). had the money but didn't want to spend it they are responsible for the loss of data. They either knew their security was lax in which case don't offer wifi or they didn't know their security was lax in which case still don't offer wifi.

Re:So fine them money they already didn't spend?

[BaileDelPepino]

I actually read some of the complaint. Surprisingly, it has nothing to do with the fact that they only offer unencrypted WiFi. It's the fact that they actually lied to consumers, saying they use "industry standard practices" to protect customers' privacy, but actually do nothing of the sort. In fact, their level of incompetence seems impressive.

Here are some of the salient details from the giant list of Wyndham security screwups (ellipses and emphases mine)

a. failed to use ... firewalls
b. allowed ... storage of payment card information in clear readable text;
...
d. ... permitted Wyndham-branded hotels to connect insecure servers to the ... network, including servers using outdated operating systems that could not receive security updates or to address known security vulnerabilities;
e. allowed ... well-known default user IDs and passwords ... easily available to hackers through simple Internet searches;
f. ... did not require the use of complex passwords for to ... property management systems ... Defendants used the phrase “micros” as both the user ID and the password;
g. failed to adequately inventory computers connected to the ... network;
h. failed to ... conduct security investigations;
i. failed to ... monitor ... network for malware used in a previous intrusion; and
j. failed to adequately restrict third-party vendors’ access to ... property management systems ...

Re:So fine them money they already didn't spend?

[netwarerip]

Wouldn't it then be more productive if the companies in question were instead forced to hire an FTC-appointed network security inspector and apply any and all changes the inspector tells them to at their own cost?

In theory that would work, but in reality they will just end up getting someone a lot like the OCC, FRB, and state banking authority auditors. They are ridiculously uninformed and ignorant about security practices and IT in general. They will go thru a generic checklist, demand stupid policy documents, and basically waste time and money on both ends (the gov'ts and the company's).

Re:So fine them money they already didn't spend?

[uigrad_2000]

Hotels are a well-known "wild west".

If you are linux, turn on firewall logging, and check out the results. If you are on Windows, fire up Zone Alarm. You'll probably be hammered on port 445 with worms/viruses attempting to propagate through Windows sharing. As far as I can tell, Windows Firewall doesn't detect these attacks, but I'm not a Windows expert. It's sad that a product called "Windows Firewall" lacks the most important part of the title (the firewall).

After you see the repeating pattern (for example, new request every 40 seconds, or something similar), walk down to the front desk and try to report it. You'll probably be met with blank stares. Any way you attempt explain the issue will not work, unless you can include the key phrases "blinking light" or "reboot". Good luck with that.

I don't want to defend this hotel chain too much, but I don't expect this to change any time soon. All the things in your list probably fit into the generic definition of "industry standard practices." Actual security would be far above industry standards. :(

The processing firms don't exactly help.

[jimicus]

Disclaimer: I'm not a PCI-DSS expert. The list of rules for accepting payment cards is quite long; there's an entire industry dedicated to making sense of it and applying those rules to businesses. And I'm not part of that industry.

But I have had a quick look at them. AFAICT, the processing firms are actively undermining PCI-DSS in at least a couple of ways. One of the big things they push is a virtual card terminal - basically, log onto their website and process everything that way.

PCI-DSS says this is fine, provided the computer used for this is in a separate VLAN firewalled from everything else on the company network, has no more than the bare minimum software installed and is not used for anything but processing card transactions.

The processing firms push the virtual terminal as a money saver - "don't hire an expensive card machine, use your existing computer" and a way to be more flexible - "accept card payments from anywhere, just take your laptop with you and use that". I can't for the life of me figure out how this squares with the PCI-DSS rules regarding virtual card terminals.

Anyone able to explain? Or are the processing firms actively undermining the rules laid out by Visa & Mastercard regarding how you process card details?

Re:The processing firms don't exactly help.

[plover]

I don't know what you have in your understanding, so I'll leave #1 alone (although I suspect it's not the real explanation.)

As for #2, "enforcement" is a weird process. Merchants are broken into four Tiers, where retailers processing more than X million credit trans a year are in Tier 1, and so on. The higher the tier, the more stringent the auditing and requirements, and the higher the fines for non-compliance. A tier 1 retailer might be spending $5 million dollars per year (or more!) in compliance audits. Get down to the small business level of Linn Wu's Chinese Kitchen, and she doesn't care too much if she writes your card number down over the phone when she's taking your order. She might face a $150 fine for non-compliance, and that's only if someone complains.

Where PCI DSS makes most of a difference is if you have a breach. Then, they'll retroactively audit you, find out wherever the leak originated and then fine you like crazy for being out of compliance. The really weird thing is it doesn't matter what your pre-breach auditor determined whether or not you were in compliance - if you were breached, you couldn't have been compliant because had you been following their rules you obviously would have stopped the attack!

It's a noisy and expensive game that's making a small mountain of QSA auditing firms rich, but is providing little more than a dubious amount of "protection" to the retailers. And by "protection", I mean definition 5 of protection as in "Well suppose some of your tanks was to get broken and troops started getting lost, or fights started breaking out during general inspection, like. It wouldn't be good for business, would it, Colonel?"

On the flip side, it seems to be having a positive effect on security. The attacks have had to become much more sophisticated, meaning the attackers need that much more skill to pull them off. That keeps more of the riff-raff skript kiddi3s out. And really, I think it stops a lot more of the internal theft of data by unskilled workers.

So I put on my data breeches and my wizard hat and

[vlm]

So I put on my data breeches and my wizard hat and ...

Wyndham: Do these data breeches make my butt look fat?
FTC: Um... later honey I have some paperwork to file.

Or maybe this the start of a new advertising campaign by wyndham
"Ladies... don't like how data breeches make your butt look fat down at the poolside? Well come to Wyndham instead and relax in our spa, now featuring homeopathic computer security"

Conversation overheard at the defcon bar: "So I was social engineering the hotel firewall chick, and I charmed her outta her data breeches. At that point, I'm thinking third base for sure then I discovered it was a trap so I got the FTC to go after she/he for false advertising"

So... I heard the Wyndham has same day dry cleaning service as a perk, but if you send out your data breeches, rather than getting them back same day, everyone in .ru gets a copy of them.

That's all the time I got for /. standup comedy right now, thank you and I'll be here all night.

Isn't the FBI in FAVOUR of data breaches?

[ReallyEvilCanine]

Why yes.

Yes, yes they do.

It was just last month I was reading about it. Again.

Or is it that they only want this access for themselves and you're a tairist if you don't think the FBI should have all access to all your activities and communications.

Re:Hotel's responsiblity?

[vlm]

And a hotel is responsible for network integrity why?

  It's like a state park or a public restroom, "warning there may be stuff out there that may actively try to harm you, use at your own risk."

The complaint was mostly about internal office stuff, their office stores your credit card info digitally, unencrypted, networked, in ready to steal format, that sort of mistake.
Not so much about the complimentary wifi for guests.

Anecdotal evidence-

that's hilarious, i actually stayed at a wyndham "microtel" last week on my way to florida, network was completely open, and i got hit with a man in the middle attempt within seconds of getting online, tried to knock me off https logging into facebook.

Re:PCI audits are not actually required

[netwarerip]

Banking regulatory agency audits are not the same as PCI audits. The OCC can, and has, shut down a bank for failure to comply. Any 'National' bank must comply with the OCC regulators' demands. I worked at one that didn't like the 'raw deal' they got from the OCC so they dropped their national charter (went from being Shady National Bank to Shady Bank, and getting a state charter). Problem is, every OCC (and FRB, and state) audit is long on things like lending policy and HMDA compliance and short on legitimate IT concerns. It's always been just a dog and pony show on that end, because they have accountants auditing IT, and accountants are idiots.
BTW, HIPAA and GLBA are basically one and the same, and banks must comply with GLBA.