The US Federal Trade Commission has sued Wyndham Worldwide and three of its subsidiaries, alleging that inadequate data security at the hotel chain led to three security breaches in less than two years.

The FTC claimed that the data breaches led to fraudulent charges on consumer credit card accounts totalling millions of dollars and the export of hundreds of thousands of consumers’ credit card information to an internet domain address registered in Russia.

Wyndham describes itself as the world’s largest hotel company, with 7,150 properties globally under a range of brands including Ramada, Howard Johnson, Days Inn, Dream, Planet Hollywood, Travelodge and Super 8.

Concern over cybersecurity has heightened recently following a series of large-scale data breaches involving consumer data. The FTC’s action appears to signal a tougher attitude towards data breaches that expose consumers to identity theft and fraud.

“The case against Wyndham is part of the FTC’s ongoing efforts to make sure that companies live up to the promises they make about privacy and data security,” the agency said in a statement posted on its website.

In its suit, filed in federal court in Arizona, the FTC alleged that “Wyndham’s privacy policy misrepresented the security measures that the company and its subsidiaries took to protect consumers’ personal information and that its failure to safeguard personal information caused substantial consumer injury”.

The agency claimed that the company’s failure to safeguard personal information “caused substantial consumer injury” and said the breaches led to more than $10.6m in “fraud losses”.

Wyndham said it had “co-operated fully with the FTC regarding its investigation of previously reported data breaches that occurred from 2008 to 2010 in which cyber criminals potentially accessed a limited amount of customer information at some Wyndham Hotels and Resorts-brand hotel properties”.

The company said it believed the agency’s “claims are without merit”, adding: “We intend to defend against the FTC’s claims vigorously and do not believe the outcome of this litigation will have a material adverse effect on our company”.

It went on: “At the time of these incidents, we made prompt efforts to notify the hotel customers whose information may have been compromised and offered them credit monitoring services.

“To date, we have not received any indication that any hotel customer experienced a financial loss as a result of these attacks.

“Since these events, we have made significant enhancements to our information security and have assisted franchised and managed Wyndham Hotels and Resorts-brand hotels in enhancing their information security.”

Get alerts on Wyndham Worldwide Corp when a new story is published

Copyright The Financial Times Limited 2019. All rights reserved.
Reuse this content (opens in new window)

Follow the topics in this article