Even after the hotel chain’s first-known data breach in 2008, Wyndham failed to fix its massive security vulnerabilities, alleges the FTC.
As a result, Wyndham’s security was breached two more times in less than two years.
These failures, according to the FTC, led to more than $10 million dollars in fraudulent credit-card charges, as well as the export of hundreds of thousands of consumers’ credit-card information to an Internet domain address registered in Russia.
The FTC says its case against Wyndham is part of an ongoing effort to make sure that companies live up to the promises they make about privacy and data security.
Although each Wyndham-branded hotel uses a different credit-card processor, the FTC claims the breaches enabled the hackers to install “memory-scraping” malware on numerous hotels’ servers and access payment-card account information for large numbers of consumers, which was improperly stored in clear, readable text.
In a statement, Wyndham said the lawsuit is “without merit.”