Learning from Wyndham’s Data Breach

How you respond before, during and after your credit card data has been compromised will have a major impact on your chain’s ability to survive a security fiasco.

By Erin Rigik, Associate Editor.

In today’s high tech world, no one is immune to a breach.

This June, The Federal Trade Commission (FTC) sued hotel dynasty Wyndham Worldwide Corp., after the company suffered multiple security breaches. Allegedly, customer credit card numbers and personal information were stolen from the company three times in less than two years.

The hotel behemoth is an international giant operating resorts and hotels under the Wyndham, Ramada, Super 8, Days Inn and Howard Johnson brands, among others. The amount of credit card data that passes through the company’s accounting system each month is staggering.

However, the FTC pointed the finger at Wyndham’s negligence in relation to security policies at the company’s Phoenix data center—where the company stores and transfers data between its headquarters and its individual business units. As a result, Russian hackers managed to infiltrate its system and install phishing software on a myriad of Wyndham servers, gaining access to more than 500,000 customer accounts on three separate occasions between 2008 and 2010. Hackers then rang up more than $10.6 million in fraudulent credit card transactions, according to the suit filed in the U.S. District Court of Arizona.

But more troubling was that even after the company learned of the breach, it failed to take action to prevent it from happening again, according to the FTC’s complaint, and as a result, the hackers were able to gain access on, not one, but two additional occasions. If Wyndham had added more complex user IDs and passwords, and made changes to software that was storing customer credit card data as unencrypted text, the company may have nipped the damage in the bud.

While no penalty exists for first-time violators of the FTC’s Consumer Privacy Act, and this is Wyndham’s first time being charged with violation, CNN News learned that the agency is none-the-less seeking a permanent injunction to force Wyndham to implement security measures to better protect customer information.

Wakeup Call
The lawsuit is a wakeup call for c-stores which, unlike a major hotel giant like Wyndham, would likely find themselves out of business if a similar breach took place at their stores. A fast response is vital to having any shot at saving your business if such a crisis occurs.

“The rule of fool me once, shame on you, fool me twice, shame on me applies here. It’s one thing for a company to be hacked, stop it, tighten security and move on—but three times? Wyndham neglected to take this seriously and the loss of brand equity will dwarf any FTC penalties,” said Gray Taylor, executive director of the Petroleum Convenience Alliance for Technology Standards (PCATS).

The good news is such breaches are preventable. Repeatedly with breaches, it comes down to the fact that simple, basic security measures are not being completed, such as regularly changing passwords and inspecting point-of-sale equipment, said Bob Russo, general manager of the PCI Security Standards Council.

“The best way to protect against data breaches is by applying the security principles outlined in the PCI Data Security Standard (PCI DSS),” Russo said. “An intrusion need not result in card data compromise if an organization is following the guiding requirements of PCI DSS. Remember, security is an everyday job. You need to think securely on a day-to-day basis and always act accordingly. The second you stop is the second you become a viable victim for the next hacker.”

When a breach occurs, “Visa and MasterCard will penalize the retailer on the first instance,” warned Taylor. “Thereafter, expect the Feds to jump in because repeated breaches indicate a lack of concern for the broad interpretation of consumer law—that businesses are obligated to protect consumer identities as part ‘of the bargain’ in selling goods and services.”

Taylor noted that every security consultant and lawyer specializing in consumer payment security would advise c-stores that a cogent, well-conceived response plan should be in place and ready to be immediately implemented, should a breach occur.

Such a plan should include:
• Begin immediate forensics to determine how the breach occurred and how to shut it down.
• Notify appropriate parties of the breach (e.g. card companies, law enforcement, eventually consumers).
• Ensure that the company’s rights are maintained.

“The last point has to be mentioned because it is often the retailer (the entity robbed) that is vilified. The company must ensure its right to defend itself,” Taylor said. “This is why PCATS held the first-ever data security breach simulation at our annual conference in January. We had experienced breach professionals lead us through scenarios similar to this, to allow our retail members to test their preparedness. It was eye-opening.”

Convenience Store Decisions was on hand to experience the session in Scottsdale, Ariz., and watched how retailers in each group talked through the breach scenario and made judgments against the clock to seal the leak before it spread. Going through such exercises with the people on your team can help make your response time swift and do much to minimize damage when a real breach occurs and every second counts.

Are You Secure?
“The most important thing to note about something like the Wyndham Hotels breach, is that if it can happen to large institutions, it can also happen to you if you are not properly secured,” Russo said.

The PCI Security Standards Council has numerous resources on its Website site (www.pcisecuritystandards.org) to help convenience store operators better understand their role in securing payment card data.

“Sometimes it can be difficult, sometimes it is an easy fix. For franchises, we know that they have become a prime target for hackers,” Russo said. “They frequently can take what they know about one system and attack another location based on some standardization of equipment.”

To best protect your chain, first, when installing new equipment, ask the suppliers one simple question: Is it PCI compliant?

Next, you can prevent a significant amount of attacks by changing the default passwords for every piece of equipment connected to your payment process. “This simple step can eliminate a lot of risk,” Russo said.

Finally, keep all your software and terminals up to date and patched, or running the most up-to-date versions of the software.
“If you have been the victim of a breach, one of the biggest takeaways is to understand how you can monitor your systems for signs of a breach, or outsource that to a security operator. Knowing you have been attacked and discovering this yourself sets you at an advantage to halt the ongoing leak more quickly,” Russo said. “The sad truth is that the majority of breaches are not detected by the affected organization themselves. It is often only after they have been notified by a card brand that they often become aware.”

Getting in a security expert to understand and assess what happened and how it can be prevented in the future is critical.
Retailers can also find a list of PCI-certified forensics investigators on the PCI Security Standards Council Website, Russo noted.



  1. Too much apathy from certain sectors is leading to repeat breaches. Not enough information is shared to demonstrate that it does go on in big and small companies so that senior management can be reliably informed rather than fed fud from vendors

  2. Great analysis – very similar to the one I wrote here that breaks down each vulnerability they could have corrected: http://resource.onlinetech.com/why-invest-in-pci-hosting/

  3. Alejandr0 says:

    Of the many articles that have been written regarding the FTC’s suit, this is one is decent. Ms. Rigik doesn’t take liberties with the FTC’s allegations, and this fact speaks volumes about her experience in the IT industry; she demonstrates possession of the necessary experiences to afford her insight into the realities of intrusion and data theft incidents.

    In my opinion, most of the charges levied by the FTC are trumped up … or, to be kind, the FTC doesn’t understand technology well enough to be making accusations. Wyndham won’t have any problem supplying ample evidence to successfully dispute most (but not all) of the charges.

    The eye-openers for other companies watching this case will be the following: the defendant used a separate out-of-box PMS (property management system) at each of its hotels. Each PMS was an out-of-box installation from the PMS vendor and was supported exclusively by that vendor. The CC processing software at each hotel was a turn-key system installed, configured, and serviced exclusively by the merchant processor. Both the PMS and CC processing systems were marketed by the respective vendors as being PCI compliant.

    Why is this eye opening? If your business is like the vast majority of businesses, you didn’t write your own CC processing software. You purchased it, and you were likely given the assurance that it was PCI compliant. This suit will demonstrate who is ultimately liable if your turn-key CC processing solution is not as compliant as the vendor claimed and it becomes a favorite target of thieves.


Speak Your Mind