The FTC alleged in its complaint that the data breaches resulted in fraudulent charges on consumer accounts, millions of dollars in fraud loss, and the export of 619,000 consumers’ payment card account numbers to a web domain address in Russia.
Wyndham and its subsidiaries failed to take security measures such as complex user IDs and passwords, firewalls and network segmentation between the hotels and the corporate network, the agency alleged. In addition, the Wyndham allowed improper software configurations which resulted in the storage of sensitive payment card information in clear readable text, according to the FTC.
In its complaint, the FTC said that Wyndham’s privacy policy misrepresented the security measures that the company and its subsidiaries took to protect consumers’ personal information, and that its failure to safeguard personal information caused substantial consumer injury. The agency charged that the security practices were unfair and deceptive, and violated the FTC Act.
The consumer watchdog said that the action against Wyndham is part of its ongoing effort to ensure companies live up to the promises made in their privacy policies.