Only weeks after the FBI warned travelers of an increasing risk of data theft while using hotel internet connection, the FTC files a complaint against the Wyndham hotel chain for alleged failures in data security. Wyndham hotels had three security breaches within less than two years’ time, ultimately leading to hundreds of thousands of customer’s credit cards leaking out to a Russian website, and consumers incurring millions of dollars of fraud losses.
Among Wyndham’s failings were:
- Failure to use firewalls.
- Storage of customer credit card information in plain text.
- Allowed use of default user IDs and passwords, allowing easy access by hackers doing internet searches.
- Failure to adequately inventory computer system attached to the network.
- Failure to conduct security investigations.
- Permitted Wyndham-branded hotels to connect insecure computers to the network, including systems running outdated operating systems, unable to receive security updates.
- Failure to restrict access to property management systems by third party vendors.
- Didn’t require the use of complex passwords for property management systems (defendants used the phrase “micros” as both the user ID and the password).
All of this doesn’t even address known attacks involving the free wireless access commonly offered at such hotels. The FBI’s warning in May didn’t target any specific hotel chain, but cautioned of a growing problem where travelers establishing WiFi connections are presented with a pop-up window prompting them to update a widely used software product. If they click to accept the update, malware is installed on their system.
It’s wise to assume your hotel’s internet connection is not secure and to do all of your computer’s software updates before you travel.
Comments are closed.