Hotel chain in court for guest credit card scam (article)
Wednesday, 04. July 2012, 19:43
Last week, authorities in the US filed a lawsuit against Wyndham Worldwide, claiming the company and three subsidiaries failed to protect sensitive customer credit card data.
The Federal Trade Commission is looking into why almost
600,000 credit card numbers including expiry and security codes, were stolen
over a three year period in three separate data breaches, resulting in over $10
million in fraudulent losses to cardholders, banks, and credit card companies.
In a recent post titled Credit card safety and cyber
attacks in travel – everyone’s responsibility, I argued that protecting
sensitive customer credit card data is paramount to maintaining consumer trust.
In the Trustwave 2012 Global Security Report, hospitality ranked at the top of
the list for data breaches for the fourth year in a row.
So, in short, what the heck is going on?
Don’t get me wrong, I fully understand that system
security is probably not on the top of every hotelier’s skill sets but strong
security practices should be built into every business process.
Weak passwords and a laissez faire attitude towards
property management system usernames and passwords should never be an excuse
for a compromise.
It doesn’t just happen in the hotel industry though. I
can’t tell you how many times I’ve seen general computer users (regardless of
industry) use weak passwords for logins into systems that are business
In the case of Wyndham and many other targets of cyber
attacks, weak login credentials in property management systems are a key vector
for data breaches.
So, I guess we can blame the property management system,
right? Whoa, not so fast.
As I mentioned in my previous post, security is not
confined to one system. Security is a chain that links almost every aspect of a
business from the front desk to the senior staff.
Any weakness in that chain means a possible compromise.
According to the FTC, Wyndham Worldwide had many points of
weakness in their security chain including; storing credit card information in
plain text, storing sensitive security codes (aka CVV/CVS/CVC data), not using
firewalls, not enforcing strong passwords, not using updated operating systems,
and not having adequate logging.
What is surprising (or maybe not) is that every one of the
vulnerabilities claimed by the FTC is also addressed by a requirement under the
PCI DSS (Payment Card Industry Data Security Standard) and outlined in the PCI
DSS v.2.0 document.
Clearly Wyndham as well as each of its properties is
subject to PCI audit and scanning requirements, and yet it would appear that
basic security measures were either not in place or being enforced.
What has happened at Wyndham should be taken as a serious
wake up call to the travel industry.
The security practices, or lack thereof, that resulted in
the breaches at Wyndham could have happened to anyone.
The old saying “it’ll never happen to me” just won’t cut
it when some unscrupulous 19-year-old cyber criminal decides to target your
website or data center. The safety and
security of customer data is not a game, it should be considered business
After all, how long can a business survive if it no longer
has the trust of its customers or the ability to accept payments.
I wouldn’t be surprised to see significant penalties
levied against Wyndham by the card companies as a result of these breaches or
class action suits similar to ones Sony faced after their massive breach. The financial impact of these penalties,
however, will be nothing compared to the loss of consumer confidence and
erosion of Wyndham’s brand.
If the hair on the back of your neck is tingling right
That means you’ve recognized the acute possibility that
what happened to Wyndham could happen to you.
Luckily for Wyndham, they have the financial and human
resources to make this right and turn this negative experience into an
important learning experience for themselves and the industry as a whole.
Now, stop reading and go update your weak password… you’ll
thank me in the morning.(source: tnooz- Stephen Joyce)
Please write your comment on the article "Hotel chain in court for guest credit card scam (article)" here:
*The editors office has the right to correct your comment orthographically and to abbreviate it.
This site is best viewed with Microsoft Internet Explorer 6.0+, at a minimum screen resolution of 1024 x 768.
Turkey, Thailand, Egypt, Indian Ocean, Germany, airlines, tour operators, travel agencies, hotels, travel law, tourists, tourist, travel warning, destination, Rixos, Gloria Hotels, TUI, Ahmet Barut, Fettah Tamince, Lufthansa, Air Berlin, Ryanair, SunExpress , Pegasus, Pep, RTK, Thomas Cook, FTI, alltours, Antalya, Aspendos, Turkish Prime Minister Recep Tayyip Erdogan, last minute deals, early booking, cruise, food, health tourism, jobs in tourism, job search, the best hotels, Russian tourism, restaurants