The Federal Trade Commission filed suit today against Wyndham Worldwide Corp. and three of its subsidiaries for failing to live up to its privacy and data security policies in violation of an FTC rule that prohibits "unfair or deceptive acts."
Between 2008 and 2009, on three separate occasions, hackers were able to gain access to 619,000 payment card accounts, leading to fraudulent charges on consumers' accounts and $10.6 million in fraud loss to an Internet domain registered in Russia.
The case against Wyndham is part of a larger effort at the FTC to enforce companies' own privacy and data security policies to safeguard consumers' personal information. Both are big issues in Washington, where regulators and legislators are exploring ways to tighten privacy and cyber security.
"Even after faulty security led to one breach ... Wyndham still failed to remedy known security vulnerabilities; failed to employ reasonable measures to detect unauthorized access; and failed to follow proper incident response procedures. As a result, Wyndham’s security was breached two more times in less than two years," the FTC said.
Wyndham responded in a statement that said it cooperated with the FTC's investigations, notified hotel customers whose information may have been compromised and offered them credit-monitoring services.
"To date, we have not received any indication that any hotel customer experienced a financial loss as a result of these attacks," said Michael Valentino, a spokesperson for Wyndham Worldwide. "Since these events, we have made significant enhancements to our information security."
Valentino added, "We regret the FTC's recent decision to pursue litigation, as we have fully cooperated in its investigation and believe its claims are without merit. We intend to defend against the FTC's claims vigorously, and do not believe the outcome of this litigation will have a material adverse effect on our company."
The FTC's complaint was filed in the U.S. District Court for the District of Arizona.