FTC Takes On Wyndham For Security Lapses

  /     /     /  
Publicated : 22/11/2024   Category : security


FTC Takes On Wyndham For Security Lapses


Lawsuit alleges deceptive practice in privacy policy following three breaches in two years



In another sign that it is cracking down heavily on businesses that put consumer privacy at risk by failing to protect their sensitive data, the Federal Trade Commission (FTC) launched a lawsuit against hospitality company Wyndham Worldwide. The FTC accuses Wyndham of deceptive practices in the claims it made in its privacy, using three different breaches Wyndham suffered in the course of two years as evidence of failure to live up to promises to protect customer information.
At the root of it the FTC is saying to Wyndham, Youre not living up to your privacy statement and thats unfair and deceptive, says Todd Thiemann, senior director of product marketing for Vormetric,. It should be a wakeup call to enterprises understanding they need to not just pay attention to PCI DSS, but make sure across the board that theyre living up to they say about privacy protection in terms of what theyre advertising to their customers.
The FTC complaint names three breaches in the case, occurring in 2008 and 2009. The first was a networked server breach that gave hackers the capability to install malware that exfiltrated half a million credit card numbers to a domain registered in Russia. Even after that incident, FTC claims Wyndham didnt do enough to prevent two additional breaches that gave hackers access in a similar method and resulted in more than 100,000 more customer details from being exported.
In its complaint, the FTC alleges that Wyndham’s privacy policy misrepresented the security measures that the company and its subsidiaries took to protect consumers’ personal information, and that its failure to safeguard personal information caused substantial consumer injury, the FTC said in a release this week. The agency charged that the security practices were unfair and deceptive and violated the FTC Act.
According to Torsten George, vice president of worldwide marketing for Agiliance, the suit is a clear sign to the security industry that it is no longer good enough to follow check-box compliance practices.
You have to step up and really show that you care about security, he says. And that its really important once you get burned the first time to really dramatically change how you approach security within an organization.
He also believes that businesses will watch this case closely for clues as to how privacy policies should be written in the future. He believes that Wyndham was naïve in how it wrote its privacy policy, offering far too many safety guarantees in an environment rife with security breaches.
I believe that this is a watershed event and that a lot of lawyers of commercial companies are currently reviewing their legal information on their websites, he says.
It could also be an important case in setting precedence about what constitutes due diligence on the behalf of companies offering privacy guarantees.
The current FTC statements against Wyndham allege that Wyndham did not perform proper due diligence with respect to various areas of information security. The question most likely weighing on many organization’s minds as they watch this story unfold is, What constitutes proper due diligence? says Jason Rhykerd, consultant for SystemExperts Corporation, explaining it is an answer that is not as easy as wed like to believe. How can you be sure that one person’s best practices are the best practices for your organization? Due diligence is a relative term; properly inventorying assets and assessing risk will allow an organization to realize gaps and implement controls and/or mitigation processes and polices.
He says that the basics like strong passwords, monitoring, and applying the rule of least privilege are still being missed today. It may take more actions like this from the FTC to convince organizations to pay more attention.
And the FTC may be happy to oblige. This is the third case this month that the agency has brought forward as it relates to data security. In two others, the
FTC is suing two companies
for exposing customer data through P2P downloads.
It’s unfortunate that the stick of the FTC is required to force the change in mindset and action for some organizations, says Mike Reagan, chief marketing officer at LogRhythm. But for others, they’re recognizing the importance of this strategic imperative and are taking the right steps to increase their visibility and response capabilities to minimize loss and protect their customers and businesses.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
FTC Takes On Wyndham For Security Lapses