Thursday 13 February, 2014
In recent years, the Federal Trade Commission has taken an increasingly active role in regulating the Internet. The FTC is all about protecting consumers and it goes after any company that doesn’t. In a high profile case a few years ago, the FTC sued major hotel operator Wyndham for not protecting consumer data.
Like most hotel chains, Wyndham offers free Wi-Fi for its guests. Guests can log into their private network and use it to surf the Internet. But in a two year period, Wyndham’s Wi-Fi network was accessed by Russian hackers and large-scale damage ensued.
What the FTC specifically sued Wyndham over was misleading its guests. It also failed after the first security breach to do anything about it. This led to the second and third breaches, which caused even more damage. The hotel operator said it took added security measures but didn’t. The FTC says that the hotel chain was ‘unfair and deceptive’ in telling its guests that it protected their data.
How bad was the damage? It’s estimated that something like 600,000 credit card numbers made the trip to Russia. Russian hackers used these cards to extract over $10 million dollars from unsuspecting Wyndham guests. The three security breaches occurred in 2008 and 2009.
Who suffered from the data breaches? First of all, lots of regular folks like you and me who could be staying at one of their hotels. Wyndham operates several major hotel chains including Days Inn, Ramada and Super 8.
But we weren’t the only people who suffered. Major corporations like Sony, Google, Lockheed Martin, Citigroup and the International Monetary Fund all had accounts compromised. In other words, this was serious stuff.
When a major company’s data is hacked it can mean serious problems for lots of people. A major breach could lead to a company closing its doors. It could lead to the company’s entire list of clients or customers getting their accounts compromised as well. Lockheed Martin and Google, just to name two, are a couple of companies with some very sensitive data in their vaults.
The data was breached because of a rookie security mistake. Credit card information was stored in simple text files. For a hacker, this is like opening a zip-lock bag. The software was not properly configured using firewalls, network segmentation or even complex passwords. Wyndham dropped the ball in a major way.
The cyber-criminals used malware that scraped data. In effect, they just walked in and took it. As Chester Wisniewski, security expert and advisor to Sophos Canada, wrote on Naked Security, ‘It isn’t rocket science, folks.’