Wyndham hotels face FTC complaint after multi-hack attacks

Wyndham Worldwide faces an official complaint after hundreds of thousands of hotel customers' credit card details were posted to a Russian site.

The US Federal Trade Commission alleged that three data breaches had occurred at the group over less than two years.

It added that the firm and associated businesses had misrepresented the security measures that they had taken.

Wyndham said it was unaware of any customers losing money as a result of the breach.

According to the FTC, Wyndham Worldwide and three of its subsidiaries had failed to take security measures, such as firewalls, complex user IDs and passwords, and network segmentation between the hotels and their corporate network.

It added that "improper software configurations" had meant sensitive payment card information had been stored in clear readable text.

As a result the FTC said that in April 2008 intruders had been able to gain access to computers belonging to the Wyndham's Hotels and Resorts subsidiary and 41 individual Wyndham-branded hotels.

It said the attackers had installed memory-scraping malware which had allowed them to access files containing payment card account information.

The agency said that more than half a million payment card accounts were compromised as a result, many of which subsequently appeared on a domain registered in Russia.

Despite the attack the FTC said that Wyndham had failed to remedy the vulnerabilities and had been breached a further two times in 2009, leading to tens of thousands more accounts being affected.

It added that the intruders had been able to make more than $10.6m (£6.8m) of fraudulent purchases as a consequence.

Wyndham Worldwide told the BBC it had fully co-operated with the FTC's investigation, but believed the agency's claims were without merit.

"At the time of these incidents, we made prompt efforts to notify the hotel customers whose information may have been compromised, and offered them credit monitoring services," said Michael Valentino.

"To date, we have not received any indication that any hotel customer experienced a financial loss as a result of these attacks. Since these events, we have made significant enhancements to our information security, and have assisted franchised and managed Wyndham Hotels and Resorts-brand hotels in enhancing their information security."

Mr Valentino added that the firm intended to defend itself against the FTC's charges "vigorously".

The US District Court for the District of Arizona will now decide whether to uphold the FTC's complaint and force Wyndham to pay compensation.