Until recently, the fallout from the data breach at Wyndham Worldwide, owner of Ramada, Travelodge and a host of other hotel brands, followed an all too familiar path. Immediately after news of the breach reached customers in 2010, the company followed regular protocols by issuing an apology and committing itself to improving security procedures in an open letter to the public.
The FTC’s response seems to have caught everyone off guard, including Wyndham itself. In a statement issued shortly after the complaint was filed, the group stated, “We regret the FTC’s recent decision to pursue litigation, as we have fully cooperated in its investigation and believe its claims are without merit. We intend to defend against the FTC’s claims vigorously, and do not believe the outcome of this litigation will have a material adverse effect on our company… In a time when cyber attacks on private and public institutions are on the rise globally, safeguarding customer information remains a top priority at Wyndham Worldwide.”
Wyndham has good reason to be taken aback by the FTC’s decision. Organisations that fall victim to hackers are rarely sued by government agencies. In most cases, civil action through class action lawsuits is the extent of their worries. However, Wyndham’s case seems to have been too severe for the FTC to ignore. This may have little to do with the size of the breach. Even large data breaches can be overlooked if companies had established reasonable security measures prior to the compromise. Therefore, the $10M of fraudulent transactions attributed to the 600,000 records stolen through the three separate breaches that took place at Wyndham should not in itself have led the FTC to take action. The driving factor seems to be the nature of the vulnerabilities and the absence of basic security measures at the company. The FTC claims that Wyndham failed to establish perimeter firewalls, change default user IDs and passwords, maintain strong password policies and patch and update software to remedy security vulnerabilities. It also failed to establish internal-facing firewalls to segment local and corporate networks and encrypt payment card data in storage.
Wyndham Worldwide may take some solace from the fact that the FTC does not have the ability to levy financial penalties. If the complaint is successful, Wyndham will probably be required to upgrade its security and undergo regular third party audits. However, a Senate bill was recently introduced that would enable the FTC to impose fines in data security issues. The bill was promoted by the FTC itself which clearly is committed to a strong stance on such issues. The agency has sued or reached settlement with approximately 35 companies over the last ten years for misrepresenting data security measures. Prior to Wyndham, the most notable case was Twitter, which settled with the agency in 2010.