Last Updated Mar 2, 2010 5:50 PM EST
"Briefly stated, an unauthorised user took over an authorised account and used that account to acquire credit card numbers from certain Wyndham-branded properties," the hotel chain's director of media relations, Evy Apostolatos, said on Monday. "Fortunately, the incident was identified and quickly shut down."Although Wyndham declined to say how many guests or hotels were affected, I think it's logical to assume thousands of people's credit cards have been compromised. Wyndham also offered a FAQ for those customers who might be affected, including tips on how to freeze one's credit.
The hacker gained access to one of Wyndham Hotel Group's datacentres by going through centralised network connections, the company said in an open letter to customers on 18 February. Credit card data was then systematically moved to a URL outside the Wyndham network.
Security expert Nicholas Percoco, from Trustwave SpiderLabs, said that hackers target hotels because they are easy and it can take a long time -- on average, about five months -- until they are discovered. In a 2009 study by Percoco, 38% of all breaches were in the hospitality industry, higher than even the financial services or retail sectors. From Darkreading:
Nearly half of these attacks occur via remote access applications, of which 90 percent exploit default or weak passwords, according to the report. Around 42 percent of attacks occurred via third-party connections; 6 percent, SQL injection; 4 percent, exposed services; and 2 percent, remote file inclusion attacks. Interestingly, less than 1 percent began with an email Trojan.But the main problem remains that since many properties are operated and owned independently by franchisees, computer security isn't uniform. Which is too bad, since any computer at these locations are on Wyndham's central network and cybercriminals can use lax security to open the door to millions of credit card numbers.
Around 54 percent of the attacks used malware to harvest stolen data: More than two-thirds (67 percent) deployed memory parsers; 18 percent, keystroke loggers; 9 percent, network sniffers; and 6 percent, malware that the bad guys control who accesses the malware, such as in ATM attacks, according to Percoco.
If we use the analogy of a door for computer security, then Wyndham Hotels & Resorts has a few hotels with high-tech bank vault doors, some with sensible but secure deadbolts and still others have swinging saloon doors open to anyone. Unless Wyndham requires its properties to have uniform and solid security measures, these data breaches will continue. Perhaps it may take customers avoiding the hotel chain for Wyndham to realize the extent of their security risk.