WASHINGTON (Reuters) - U.S. regulators filed a complaint against Wyndham Worldwide Corp and three subsidiaries on Tuesday, alleging that a failure to safeguard consumers’ personal information led to more than $10 million lost to fraud.
The Federal Trade Commission said repeated failures to secure consumer data led to hundreds of thousands of consumers’ payment card information being exported to an Internet domain address registered in Russia.
Wyndham, which operates several hotel brands, including the value-oriented Days Inn and Super 8, failed to take security measures such as requiring strong passwords, the agency said. It also stored sensitive payment card information in clear readable text, the agency said.
In its complaint, the FTC said fraudulent charges on consumer accounts totaled more than $10.6 million following three data breaches in less than two years. The breaches occurred in April 2008, March 2009 and in late 2009, it said.
“Even after faulty security led to one breach ... Wyndham still failed to remedy known security vulnerabilities; failed to employ reasonable measures to detect unauthorized access; and failed to follow proper incident response procedures,” the FTC said.
Wyndham acknowledged it had been hacked and offered affected customers credit-monitoring services while also strengthening its security systems, said Barry Goldschmidt, a vice president for investor relations.
Wyndham was unaware of any customers losing money because of the breach, he said.
The case was filed in the U.S. District Court for the District of Arizona.
Reporting By Diane Bartz and Karen Jacobs; Editing by John Wallace