Slashdot Mirror

← Back to Stories (view on slashdot.org)

FTC Files Complaint Against Wyndham For Hotel Data Breaches

Posted by Unknown on from the your-privacy-is-not-our-first-priority dept.

coondoggie writes "A little over a month after the FBI warned travelers of an uptick in data being stolen via hotel Internet connections, the Federal Trade Commission has filed a complaint against Wyndham Worldwide Corporation and three of its subsidiaries for alleged data security failures that led to three data breaches at Wyndham hotels in less than two years."

5 of 46 comments (clear)

  1. So fine them money they already didn't spend? by gelfling · · Score: 3, Interesting

    I suppose morally or ethically this is needed but the idea that they should be fined money they already either didn't have or didn't want to spend in order to remediate this seems short sighted. Maybe a Wall Of Shame that requires them to post signs everywhere and on their websites, that Wyndam is REALLY bad and indifferent to security and they have and will probably again lose your data is what's needed.

    1. Re:So fine them money they already didn't spend? by BaileDelPepino · · Score: 5, Informative

      I actually read some of the complaint. Surprisingly, it has nothing to do with the fact that they only offer unencrypted WiFi. It's the fact that they actually lied to consumers, saying they use "industry standard practices" to protect customers' privacy, but actually do nothing of the sort. In fact, their level of incompetence seems impressive.

      Here are some of the salient details from the giant list of Wyndham security screwups (ellipses and emphases mine)

      a. failed to use ... firewalls
      b. allowed ... storage of payment card information in clear readable text;
      ...
      d. ... permitted Wyndham-branded hotels to connect insecure servers to the ... network, including servers using outdated operating systems that could not receive security updates or to address known security vulnerabilities;
      e. allowed ... well-known default user IDs and passwords ... easily available to hackers through simple Internet searches;
      f. ... did not require the use of complex passwords for to ... property management systems ... Defendants used the phrase “micros” as both the user ID and the password;
      g. failed to adequately inventory computers connected to the ... network;
      h. failed to ... conduct security investigations;
      i. failed to ... monitor ... network for malware used in a previous intrusion; and
      j. failed to adequately restrict third-party vendors’ access to ... property management systems ...

      --
      Miren al Pepino! Los vegetales invidian a su amigo, como él quieren bailar. Pepino Bailarín!
  2. The processing firms don't exactly help. by jimicus · · Score: 4, Informative

    Disclaimer: I'm not a PCI-DSS expert. The list of rules for accepting payment cards is quite long; there's an entire industry dedicated to making sense of it and applying those rules to businesses. And I'm not part of that industry.

    But I have had a quick look at them. AFAICT, the processing firms are actively undermining PCI-DSS in at least a couple of ways. One of the big things they push is a virtual card terminal - basically, log onto their website and process everything that way.

    PCI-DSS says this is fine, provided the computer used for this is in a separate VLAN firewalled from everything else on the company network, has no more than the bare minimum software installed and is not used for anything but processing card transactions.

    The processing firms push the virtual terminal as a money saver - "don't hire an expensive card machine, use your existing computer" and a way to be more flexible - "accept card payments from anywhere, just take your laptop with you and use that". I can't for the life of me figure out how this squares with the PCI-DSS rules regarding virtual card terminals.

    Anyone able to explain? Or are the processing firms actively undermining the rules laid out by Visa & Mastercard regarding how you process card details?

  3. Re:Hotel's responsiblity? by vlm · · Score: 3, Informative

    And a hotel is responsible for network integrity why?

      It's like a state park or a public restroom, "warning there may be stuff out there that may actively try to harm you, use at your own risk."

    The complaint was mostly about internal office stuff, their office stores your credit card info digitally, unencrypted, networked, in ready to steal format, that sort of mistake.
    Not so much about the complimentary wifi for guests.

    --
    "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
  4. Re:PCI audits are not actually required by netwarerip · · Score: 3, Interesting

    Banking regulatory agency audits are not the same as PCI audits. The OCC can, and has, shut down a bank for failure to comply. Any 'National' bank must comply with the OCC regulators' demands. I worked at one that didn't like the 'raw deal' they got from the OCC so they dropped their national charter (went from being Shady National Bank to Shady Bank, and getting a state charter). Problem is, every OCC (and FRB, and state) audit is long on things like lending policy and HMDA compliance and short on legitimate IT concerns. It's always been just a dog and pony show on that end, because they have accountants auditing IT, and accountants are idiots.
    BTW, HIPAA and GLBA are basically one and the same, and banks must comply with GLBA.