The Federal Trade Commission is looking into why almost 600,000 credit card numbers including expiry and security codes, were stolen over a three year period in three separate data breaches, resulting in over $10 million in fraudulent losses to cardholders, banks, and credit card companies.

In a recent post titled Credit card safety and cyber attacks in travel – everyone’s responsibility, I argued that protecting sensitive customer credit card data is paramount to maintaining consumer trust. In the Trustwave 2012 Global Security Report, hospitality ranked at the top of the list for data breaches for the fourth year in a row.

So, in short, what the heck is going on?

Don’t get me wrong, I fully understand that system security is probably not on the top of every hotelier’s skill sets but strong security practices should be built into every business process.

Weak passwords and a laissez faire attitude towards property management system usernames and passwords should never be an excuse for a compromise.

It doesn’t just happen in the hotel industry though. I can’t tell you how many times I’ve seen general computer users (regardless of industry) use weak passwords for logins into systems that are business critical.

In the case of Wyndham and many other targets of cyber attacks, weak login credentials in property management systems are a key vector for data breaches.

So, I guess we can blame the property management system, right?  Whoa, not so fast.

As I mentioned in my previous post, security is not confined to one system. Security is a chain that links almost every aspect of a business from the front desk to the senior staff.

Any weakness in that chain means a possible compromise.

According to the FTC, Wyndham Worldwide had many points of weakness in their security chain including; storing credit card information in plain text, storing sensitive security codes (aka CVV/CVS/CVC data), not using firewalls, not enforcing strong passwords, not using updated operating systems, and not having adequate logging.

What is surprising (or maybe not) is that every one of the vulnerabilities claimed by the FTC is also addressed by a requirement under the PCI DSS (Payment Card Industry Data Security Standard) and outlined in the PCI DSS v.2.0 document.

Clearly Wyndham as well as each of its properties is subject to PCI audit and scanning requirements, and yet it would appear that basic security measures were either not in place or being enforced.

What has happened at Wyndham should be taken as a serious wake up call to the travel industry.

The security practices, or lack thereof, that resulted in the breaches at Wyndham could have happened to anyone.

The old saying “it’ll never happen to me” just won’t cut it when some unscrupulous 19-year-old cyber criminal decides to target your website or data center.  The safety and security of customer data is not a game, it should be considered business critical.

After all, how long can a business survive if it no longer has the trust of its customers or the ability to accept payments.

I wouldn’t be surprised to see significant penalties levied against Wyndham by the card companies as a result of these breaches or class action suits similar to ones Sony faced after their massive breach.  The financial impact of these penalties, however, will be nothing compared to the loss of consumer confidence and erosion of Wyndham’s brand.

If the hair on the back of your neck is tingling right now… good.

That means you’ve recognized the acute possibility that what happened to Wyndham could happen to you.

Luckily for Wyndham, they have the financial and human resources to make this right and turn this negative experience into an important learning experience for themselves and the industry as a whole.

Now, stop reading and go update your weak password… you’ll thank me in the morning.(source: tnooz- Stephen Joyce)