If you’re making hotel reservations for spring and summer, take heed of Consumer Reports’ new travelers’ advisory: Be careful at hacker-friendly hotels, which leave the welcome mat out for data thieves by failing to comply with even the most rudimentary data security safeguards.
As recently as five years ago, Wyndham Worldwide, with about 7,000 hotels under a dozen well-known brands, let Russian hackers steal data involving 619,000 accounts of customers who stayed at 41 Wyndham-branded hotels, not just once—in April, 2008—not just a second time—in March, 2009—but also a third time later that same year, according to a Federal Trade Commission first amended complaint filed in 2012. The theft led to $10.6 million in unauthorized charges.
The Wyndham case is part of a broader FTC effort to ensure that companies live up to their promises to protect sensitive consumer information, which has led to 32 actions against corporations and organizations.
The FTC’s complaint chronicles data security lapses that were more reckless than a preteen friending adult strangers on Facebook, including:
Wyndham tried to have the case dismissed on grounds that the FTC has no authority to regulate deceptive acts and practices involving data security practices. A New Jersey U.S. District Court judge didn’t see it that way and earlier this month allowed the FTC action to proceed.
Wyndham declined Consumer Reports’ request for an interview. “The Court made no decision on liability, which will be determined later as the case now moves forward,” said Michael Valentino, vice president of marketing and communications for Wyndham Worldwide. "We continue to believe the FTC lacks the authority to pursue this type of case against American businesses, and has failed to publish any regulations that would give such businesses fair notice of any proposed standards for data security. We intend to defend our position vigorously.”
In an e-mail statement, Edith Ramirez, chairwoman of the FTC, said the case will proceed. “I’m pleased that the court has recognized the FTC’s authority to hold companies accountable for safeguarding consumer data, and we look forward to trying this case on the merits," she said. "Companies should take reasonable steps to secure sensitive consumer information. When they do not, it is not only appropriate, but critical, that the FTC take action on behalf of consumers.”
Now, David Durko, former director of Wyndham’s security compliance management, says that many independently owned and operated Wyndham hotels doing business under the Super 8 brand name don’t comply with Payment Card Industry Data Security Standards.
Durko says the Wyndham Hotel Group hired him in response to the three breaches that became the focus of the FTC complaint. He worked there for a year and a half as a PCI consultant, then for another two years as director of security compliance, according to his LinkedIn profile. Durko says he and Wyndham parted on amicable terms.
PCI DSS is the first line of defense against credit and debit card data theft. The major credit card brands require every business that accepts their cards for payment to be PCI DSS compliant and created the Payment Card Industry Security Standards Council to establish minimum standards and practices that businesses must follow to properly protect consumer data.
But American Express, MasterCard, and Visa were not immediately available for interviews to discuss how the self-regulatory system they created protects consumers. Discover, meanwhile, declined our request for an interview. “Unfortunately we don't have anything to discuss regarding this topic at this time,” said Abbe Kalina, a Discover representative.