(MoneyWatch) The Federal Trade Commission sued Wyndham Worldwide Corp. (WYN), the global hospitality company that operates some 7,200 hotels and 93,000 vacation properties, on Tuesday for misrepresenting the security of customer data and for leaving the hotels' web sites so wide open to scammers that the company had three data breaches in less than two years. Some 500,000 consumer accounts were compromised, with hundreds of thousands of card numbers and access codes exported to a web address based in Russia, causing millions of dollars in fraud losses, according to the complaint. (Consumers are generally protected from fraud losses on credit card accounts by federal law that requires merchants and credit card companies to absorb the cost of fraud.)
Despite assuring consumers that their personal data was safe, the company failed to install even the most rudimentary security measures, such as complex user IDs and passwords, firewalls and network segmentation between its hotels, the FTC said. In addition, the company allowed consumer payment card information that's normally encrypted to be stored in plain, readable text.
As a result, thieves were able to get access to the corporate network of Wyndham's Hotels and Resorts subsidiary and the property management servers of 41 Wyndham-branded hotels, which are independently operated, but supported by Wyndham operating systems.
Wyndham spokesman Michael Valentino says the data breaches all occurred from 2008 to 2010 and the hotel company has since "made significant enhancements" to its information security and has assisted its franchisees to do the same. The company also notified affected consumers and offered them credit monitoring services. "To date, we have not received any indication that any hotel customer experienced a financial loss as a result of these attacks," he said in a written statement.
The government complaint confirms that the data breaches started in 2008, at a Wyndham property in Arizona. But because the properties were on the same electronic system, cyber thieves were able to install memory-scraping malware on numerous Wyndham property management system servers and revise the company's software to store payment card information in plain text for hundreds of thousands of consumers, who booked through Wyndham hotels in a variety of locations.
The company's security systems were not fixed after that first breach, allowing two more breaches in 2009, where some 119,000 customer accounts were scraped and used to make fraudulent charges, according to the FTC.
Wyndham's Valentino says the company has cooperated with the FTC investigation, but believes the government's claims are without merit and will vigorously defend itself against the claims.