FTC Files Complaint Against Wyndham For Hotel Data Breaches 46
coondoggie writes "A little over a month after the FBI warned travelers of an uptick in data being stolen via hotel Internet connections, the Federal Trade Commission has filed a complaint against Wyndham Worldwide Corporation and three of its subsidiaries for alleged data security failures that led to three data breaches at Wyndham hotels in less than two years."
The processing firms don't exactly help. (Score:5, Informative)
Disclaimer: I'm not a PCI-DSS expert. The list of rules for accepting payment cards is quite long; there's an entire industry dedicated to making sense of it and applying those rules to businesses. And I'm not part of that industry.
But I have had a quick look at them. AFAICT, the processing firms are actively undermining PCI-DSS in at least a couple of ways. One of the big things they push is a virtual card terminal - basically, log onto their website and process everything that way.
PCI-DSS says this is fine, provided the computer used for this is in a separate VLAN firewalled from everything else on the company network, has no more than the bare minimum software installed and is not used for anything but processing card transactions.
The processing firms push the virtual terminal as a money saver - "don't hire an expensive card machine, use your existing computer" and a way to be more flexible - "accept card payments from anywhere, just take your laptop with you and use that". I can't for the life of me figure out how this squares with the PCI-DSS rules regarding virtual card terminals.
Anyone able to explain? Or are the processing firms actively undermining the rules laid out by Visa & Mastercard regarding how you process card details?
Re:So fine them money they already didn't spend? (Score:5, Informative)
I actually read some of the complaint. Surprisingly, it has nothing to do with the fact that they only offer unencrypted WiFi. It's the fact that they actually lied to consumers, saying they use "industry standard practices" to protect customers' privacy, but actually do nothing of the sort. In fact, their level of incompetence seems impressive.
Here are some of the salient details from the giant list of Wyndham security screwups (ellipses and emphases mine)
a. failed to use ... firewalls ... storage of payment card information in clear readable text;
... ... permitted Wyndham-branded hotels to connect insecure servers to the ... network, including servers using outdated operating systems that could not receive security updates or to address known security vulnerabilities; ... well-known default user IDs and passwords ... easily available to hackers through simple Internet searches; ... did not require the use of complex passwords for to ... property management systems ... Defendants used the phrase “micros” as both the user ID and the password; ... network; ... conduct security investigations; ... monitor ... network for malware used in a previous intrusion; and ... property management systems ...
b. allowed
d.
e. allowed
f.
g. failed to adequately inventory computers connected to the
h. failed to
i. failed to
j. failed to adequately restrict third-party vendors’ access to
Re:Hotel's responsiblity? (Score:4, Informative)
And a hotel is responsible for network integrity why?
It's like a state park or a public restroom, "warning there may be stuff out there that may actively try to harm you, use at your own risk."
The complaint was mostly about internal office stuff, their office stores your credit card info digitally, unencrypted, networked, in ready to steal format, that sort of mistake.
Not so much about the complimentary wifi for guests.