Forgot your password?
typodupeerror
Security The Internet Wireless Networking Technology

FTC Files Complaint Against Wyndham For Hotel Data Breaches 46

Posted by Unknown Lamer
from the your-privacy-is-not-our-first-priority dept.
coondoggie writes "A little over a month after the FBI warned travelers of an uptick in data being stolen via hotel Internet connections, the Federal Trade Commission has filed a complaint against Wyndham Worldwide Corporation and three of its subsidiaries for alleged data security failures that led to three data breaches at Wyndham hotels in less than two years."
This discussion has been archived. No new comments can be posted.

FTC Files Complaint Against Wyndham For Hotel Data Breaches

Comments Filter:
  • by gelfling (6534) on Wednesday June 27, 2012 @11:32AM (#40467949) Homepage Journal

    I suppose morally or ethically this is needed but the idea that they should be fined money they already either didn't have or didn't want to spend in order to remediate this seems short sighted. Maybe a Wall Of Shame that requires them to post signs everywhere and on their websites, that Wyndam is REALLY bad and indifferent to security and they have and will probably again lose your data is what's needed.

    • by drinkypoo (153816)

      If they didn't want to be fined money they didn't have, they shouldn't have done something they couldn't afford to do without exposing their customers to risk.

      • by BaileDelPepino (1040548) on Wednesday June 27, 2012 @12:15PM (#40468485)

        I actually read some of the complaint. Surprisingly, it has nothing to do with the fact that they only offer unencrypted WiFi. It's the fact that they actually lied to consumers, saying they use "industry standard practices" to protect customers' privacy, but actually do nothing of the sort. In fact, their level of incompetence seems impressive.

        Here are some of the salient details from the giant list of Wyndham security screwups (ellipses and emphases mine)

        a. failed to use ... firewalls
        b. allowed ... storage of payment card information in clear readable text;
        ...
        d. ... permitted Wyndham-branded hotels to connect insecure servers to the ... network, including servers using outdated operating systems that could not receive security updates or to address known security vulnerabilities;
        e. allowed ... well-known default user IDs and passwords ... easily available to hackers through simple Internet searches;
        f. ... did not require the use of complex passwords for to ... property management systems ... Defendants used the phrase “micros” as both the user ID and the password;
        g. failed to adequately inventory computers connected to the ... network;
        h. failed to ... conduct security investigations;
        i. failed to ... monitor ... network for malware used in a previous intrusion; and
        j. failed to adequately restrict third-party vendors’ access to ... property management systems ...

        • by pnutjam (523990)
          Think I might have to draft up a mailer for the hotels in my area. Drum up some business.
        • Hotels are a well-known "wild west".

          If you are linux, turn on firewall logging [ubuntu.com], and check out the results. If you are on Windows, fire up Zone Alarm. You'll probably be hammered on port 445 with worms/viruses attempting to propagate through Windows sharing. As far as I can tell, Windows Firewall doesn't detect these attacks, but I'm not a Windows expert. It's sad that a product called "Windows Firewall" lacks the most important part of the title (the firewall).

          After you see the repeating pattern (for ex

        • f. ... did not require the use of complex passwords for to ... property management systems ... Defendants used the phrase âoemicrosâ as both the user ID and the password;

          I happen to know for a fact that both Micros and Aloha use "customer/customer" as the default windows username & password for their POS servers... and it wouldn't surprise me if other POS software vendors used customer/customer as well. micros/micros is a slight improvement over default, given that it isn't customer/custome

    • by Stan92057 (737634)
      Its called punishment. Its a business so taking its money is one of the things that can be done. I personally think the CEO should be jailed or whoever signed off on not securing the network
    • Regardless of whether they a). didn't have the money to properly secure their networks or b). had the money but didn't want to spend it they are responsible for the loss of data. They either knew their security was lax in which case don't offer wifi or they didn't know their security was lax in which case still don't offer wifi.
    • The thing with fining companies is that there is no guarantee that the company will change its behaviour. Naming and shaming doesn't really work either, there's just so many different ways of spinning PR around that your average Joe won't be any smarter in the end, and besides, naming and shaming still doesn't protect e.g. credit card data. What I mean is that FTC levying fines is merely a slap on the wrist and doesn't actually help the customers themselves. Wouldn't it then be more productive if the compan

      • Wouldn't it then be more productive if the companies in question were instead forced to hire an FTC-appointed network security inspector and apply any and all changes the inspector tells them to at their own cost?

        In theory that would work, but in reality they will just end up getting someone a lot like the OCC, FRB, and state banking authority auditors. They are ridiculously uninformed and ignorant about security practices and IT in general. They will go thru a generic checklist, demand stupid policy documents, and basically waste time and money on both ends (the gov'ts and the company's).

        • PCI audits are nice to have and companies want them and auditors are happy to do them but failing a PCI audit doesn't actually mean much. There's no regulatory penalty for failing one or failing all of them. Unlike HIPAA where there are real albeit rarely applied penalities, for PCI no such thing exists.

          • Re: (Score:3, Interesting)

            by netwarerip (2221204)
            Banking regulatory agency audits are not the same as PCI audits. The OCC can, and has, shut down a bank for failure to comply. Any 'National' bank must comply with the OCC regulators' demands. I worked at one that didn't like the 'raw deal' they got from the OCC so they dropped their national charter (went from being Shady National Bank to Shady Bank, and getting a state charter). Problem is, every OCC (and FRB, and state) audit is long on things like lending policy and HMDA compliance and short on legitima
  • They should be required to notify their guests of their bad record of protecting data.
  • by jimicus (737525) on Wednesday June 27, 2012 @11:58AM (#40468259)

    Disclaimer: I'm not a PCI-DSS expert. The list of rules for accepting payment cards is quite long; there's an entire industry dedicated to making sense of it and applying those rules to businesses. And I'm not part of that industry.

    But I have had a quick look at them. AFAICT, the processing firms are actively undermining PCI-DSS in at least a couple of ways. One of the big things they push is a virtual card terminal - basically, log onto their website and process everything that way.

    PCI-DSS says this is fine, provided the computer used for this is in a separate VLAN firewalled from everything else on the company network, has no more than the bare minimum software installed and is not used for anything but processing card transactions.

    The processing firms push the virtual terminal as a money saver - "don't hire an expensive card machine, use your existing computer" and a way to be more flexible - "accept card payments from anywhere, just take your laptop with you and use that". I can't for the life of me figure out how this squares with the PCI-DSS rules regarding virtual card terminals.

    Anyone able to explain? Or are the processing firms actively undermining the rules laid out by Visa & Mastercard regarding how you process card details?

    • by Anonymous Coward

      I have slight involvement in this. Two comments:

      First, the "expensive card machine" isn't that expensive. We just bought one for about $300. It does require a dedicated phone line, but supposedly there is a version that works over ethernet and doesn't require the VLAN separation.

      Second, I have the separate PC installed behind a firewall, but it is a pain in the neck. It is supposed to be scanned for vulnerabilities monthly, plus kept up to date with Windows patches. Yes, I said windows, because the website

    • by plover (150551) *

      The problem here is a fundamental disconnect in how hotels do business with how card security is mandated.

      Hotels don't trust travelers to pay after their stay. They don't want to ask you to pay up front, either, because then they can't give you the seamless sign-it-to-my-room experience. Credit card account numbers offered an easy middle path: "we'll hold your card number until checkout." it harkens from a bygone era where credit was the exclusive province of the wealthy, who were de facto trusted to pay.

      • by jimicus (737525)

        Makes a lot of sense. I've seen plenty of businesses that take cards and it's amazing how many of them seem to totally ignore PCI-DSS.

        I can only come up with two possible explanations:

        1. My understanding of PCI-DSS is totally wrong.
        2. It's not really enforced to any significant extent - it just gives the bank a slightly bigger stick to beat you with if you don't comply.

        • by plover (150551) *

          I don't know what you have in your understanding, so I'll leave #1 alone (although I suspect it's not the real explanation.)

          As for #2, "enforcement" is a weird process. Merchants are broken into four Tiers, where retailers processing more than X million credit trans a year are in Tier 1, and so on. The higher the tier, the more stringent the auditing and requirements, and the higher the fines for non-compliance. A tier 1 retailer might be spending $5 million dollars per year (or more!) in compliance audit

          • by jimicus (737525)

            Thanks for your insight.

            Your description isn't far off how it looked to me as an outsider: a set of rules you're meant to comply with but aren't really enforced unless it becomes glaringly obvious that something's gone horribly wrong.

            • by jimicus (737525)

              Replying to myself but: part of my understanding was the bit about virtual terminals I described earlier; the other part I understand is that keeping all the details you need to put another transaction through at a later date is strictly verboten.

              But neither of these seem to be particularly enforced, and the virtual terminal one is the thing that really gets me: payment processors advertising a solution and suggesting you use it in a fashion that by definition breaches PCI-DSS.

              • by plover (150551) *

                Replying to myself but: part of my understanding was the bit about virtual terminals I described earlier; the other part I understand is that keeping all the details you need to put another transaction through at a later date is strictly verboten.

                But neither of these seem to be particularly enforced, and the virtual terminal one is the thing that really gets me: payment processors advertising a solution and suggesting you use it in a fashion that by definition breaches PCI-DSS.

                Regarding your first comment, audits of Tier 1 and Tier 2 retailers are strongly enforced. The last count I saw was 6 million merchants accepting Visa, but fewer than 50 are Tier 1, and less than a thousand are Tier 2. Tier 4 is where the vast majority of retailers are, and there is pretty much nothing done at that level - payment processors simply don't accept anything there that doesn't come through their provided-or-certified payment terminals. Tier 3 is kind of hit-or-miss.

                PCI-DSS permits the storage

  • by vlm (69642) on Wednesday June 27, 2012 @11:59AM (#40468281)

    So I put on my data breeches and my wizard hat and ...

    Wyndham: Do these data breeches make my butt look fat?
    FTC: Um... later honey I have some paperwork to file.

    Or maybe this the start of a new advertising campaign by wyndham
    "Ladies... don't like how data breeches make your butt look fat down at the poolside? Well come to Wyndham instead and relax in our spa, now featuring homeopathic computer security"

    Conversation overheard at the defcon bar: "So I was social engineering the hotel firewall chick, and I charmed her outta her data breeches. At that point, I'm thinking third base for sure then I discovered it was a trap so I got the FTC to go after she/he for false advertising"

    So... I heard the Wyndham has same day dry cleaning service as a perk, but if you send out your data breeches, rather than getting them back same day, everyone in .ru gets a copy of them.

    That's all the time I got for /. standup comedy right now, thank you and I'll be here all night.

    • by vlm (69642)

      Oh I got another one. Breeches, those are pants, right? Well Wyndham-style data breeches, those are pants with a "leather chaps" cut, such that the legs are covered and the fun parts are hanging out for all to see. Get it, data breeches?

      I'm gonna make a lotta money selling my UEFI boot secret signing key tee shirts and data breeches as a package deal.

      There's always witty data beaches jokes, once I tire of breeches jokes. "Stay at the Wyndam, right on the sandy data beaches of the holodeck."

  • Why yes. [tomsguide.com]

    Yes, yes they do [wired.com].

    It was just last month [engadget.com] I was reading about it. Again.

    Or is it that they only want this access for themselves [techdirt.com] and you're a tairist if you don't think the FBI should have all access to all your activities and communications [rt.com].

  • I am guessing that the Wyndham was charging for "secure" access, but if they were only charging for access, then wouldn't that be a case of Buyer Beware?

    It is still important for users to be wary of any network not their own personal or work network. Since you can't control the access point, don't assume the 3rd party is either.

    Encrypt your info and think before you use another's internet access.

  • And a hotel is responsible for network integrity why?

    It's like a state park or a public restroom, "warning there may be stuff out there that may actively try to harm you, use at your own risk."
    • by vlm (69642) on Wednesday June 27, 2012 @12:22PM (#40468583)

      And a hotel is responsible for network integrity why?

        It's like a state park or a public restroom, "warning there may be stuff out there that may actively try to harm you, use at your own risk."

      The complaint was mostly about internal office stuff, their office stores your credit card info digitally, unencrypted, networked, in ready to steal format, that sort of mistake.
      Not so much about the complimentary wifi for guests.

      • by DeTech (2589785)
        what read TFA?

        Yeah it looks like they're just getting pinged for not implementing any personal data sanitation. Really makes you think about all those 3rd rate machines we swipe into daily.
  • Anecdotal evidence- (Score:2, Interesting)

    by Anonymous Coward

    that's hilarious, i actually stayed at a wyndham "microtel" last week on my way to florida, network was completely open, and i got hit with a man in the middle attempt within seconds of getting online, tried to knock me off https logging into facebook.

  • Sounds like a pair of pants with a USB cable.

I have not yet begun to byte!

Working...