The federal government filed suit Tuesday against Wyndham Hotels after sensitive customer data, including credit card numbers and personal information, allegedly were stolen three times in less than two years.
In court documents, the Federal Trade Commission alleges Wyndham Hotels' lax security policies allowed Russian hackers to access more than 500,000 customer accounts on three separate occasions between 2008 and 2010. Hackers used the data to rack up more than $10.6 million in fraudulent credit card transactions, according to the suit filed in the U.S. District Court of Arizona.
The security breaches involved Wyndham's Phoenix, Ariz., data center, the main hub where the company stores and transfers data between its corporate headquarters and affiliates.
By gaining access to the Arizona data center, hackers were able to install "phishing" software on numerous Wyndham servers around the world and gain access to customer data, the FTC's lawsuit alleges.
"At the time of these incidents, we made prompt efforts to notify the hotel customers whose information may have been compromised, and offered them credit monitoring services," Michael Valentino, Wyndham's worldwide director of communications, said in a statement to CNN.
But Wyndham failed to take proper security measures even after the company was aware of a security breach, according to the FTC's complaint. The FTC said Wyndham should have instituted complex user IDs and passwords, and fixed software that stored the company's customer credit card data in clear readable text. Wyndham didn't make the fixes, the government alleges, and the hackers were able to gain access to servers on two more occasions.
"Even after faulty security led to one breach ... Wyndham still failed to remedy known security vulnerabilities; failed to employ reasonable measures to detect unauthorized access; failed to follow proper incident response procedures," the FTC said in a statement announcing the suit.
There is no penalty for first-time violators of the FTC's Consumer Privacy Act, and this is the first time Wyndham has been charged with violating the act. But according to Kristen Cohen, an attorney in the FTC's privacy and identity protection division, the agency is seeking a permanent injunction that would force Wyndham to implement what the agency considers reasonable and appropriate security measures for customer information.
Wyndham Hotel Group claims to be the world's largest hotel company with more than 7,000 hotels worldwide. The company operates hotels and resorts under the Wyndham brand, and includes Ramada, Super 8, Days Inn and Howard Johnson and several other hotel companies among its affiliates.