In April 2008, hackers breached critical systems at hotel chain and management company Wyndham Worldwide, stealing the details of a half million debit- and credit-card accounts and sneaking them out of the company's network to a server in Russia.
Wyndham, which manages the information systems used by its franchisees to handle hotel operations and payment transactions, failed to patch the vulnerable servers exploited in the breach and didn't deploy new security measures, according to the US Federal Trade Commission (FTC), the United States' consumer-protection watchdog. Over the next two years, hackers twice used the same technique to compromise the company's systems and steal tens of thousands of additional payment-card details.
The attacks—and Wyndham's tepid reaction to them—are at the heart of a lawsuit brought by the FTC against the hotel management company in 2012. While Wyndham claimed that the company "recognize(s) the importance of protecting the privacy of individual-specific (personally identifiable) information," the company failed to live up to the implied promises, the FTC maintained, and then sued Wyndham under the century-old legal charge of unfair and deceptive business practices.
Is the Wyndham decision a game-changer?
This week, a federal appeals court upheld the agency's right to file civil complaints against businesses for failing to protect consumer information with adequate cybersecurity. The August 24 ruling puts information-security professionals on notice, said Abraham J. Rein, an associate in the Internal Investigations and White Collar Defense Group at law firm Post & Schell, P.C.
"This case means that companies need to monitor FTC's enforcement actions and what the agency is concerned about," he said. "And those people need to be communicating. Someone on the legal side of the office needs to communicate regularly and continuously with the IT folks to make sure they are on top of things."
Monday's ruling by the U.S. Court of Appeals for the Third Circuit lays another brick in the FTC's foundation for bringing legal action against companies who lack adequate cybersecurity. The ruling supports the agency's right to sue companies, even in cases where there's no documented breach, if the business hasn't secured the systems that handle consumer data.
"It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information," Federal Trade Commission Chairwoman Edith Ramirez said in an August 24 statement.
The Wyndham's case will likely set the bar, and a low one, for determining when a company isn't doing its due diligence in protecting consumer information, legal experts said.
The initial breach, for example, used a brute-force password guessing attack that resulted in hundreds of user accounts being locked out, according to the FTC complaint. Wyndham's information-technology people "were able to determine that the account lockouts were coming from two computers on (the company's) network, (but) they were unable to physically locate those computers," the FTC's complaint stated. "As a result, [the] Defendants did not determine that the (company's) network had been compromised until almost four months later."
Legal experts pointed to three lessons IT security operations teams should take from the ruling.
1. Don't be a laggard
The moral of the case is that companies and their IT security teams need to deliver on reasonable security. According to the FTC complaint, Wyndham failed to secure its systems and its customers' data in ten significant ways, including failing to fix known security vulnerabilities, leaving default usernames and passwords on sensitive servers, and failing to keep track of what computers connected to its network.
"We are talking about a failure to do basic stuff," said Alan Butler, senior counsel at Electronic Privacy Information Center (EPIC). "Not resetting default passwords, not installing a firewall, allowing computers with out-of-date security to join onto secure networks. There were a lot of things that were particularly egregious."
What's reasonable? Companies will have to determine that themselves, Butler said. While the FTC has issued a 20-page brochure to teach basic security concepts to workers, security professionals shouldn't expect the FTC to hold their hands. Wyndham challenged the FTC's action because the agency didn't publish cybersecurity guidelines informing companies what's expected of them. But the agency argued, and the court agreed, that its previous legal actions against companies hold the lessons that businesses need to learn.
"A lot of companies out there are pushing for more specific guidance," Butler said. "I'm not sure that the agency will put anything out. The concern is that they don't want to be behind, because once you put something on paper, in this area, it is already obsolete."
In some ways, the ruling is a boon to the security industry, and it's one more reason that companies need to lock down their businesses. The FTC complaint, however, doesn't focus on a single or even group of technologies, so businesses will have to evaluate what makes sense for them, said Sol Cates, chief security officer for Vormetric.
"The important thing to remember with data security is that there's no one size fits all approach," Cates said in an email interview. "There is no universal set standard, which is one of the largest issues that faces the security industry today. Naturally, this creates a grey area."
2. Third-party security matters
Wyndham's travails present an interesting case because the company doesn't run most of the Wyndham-branded hotels. Instead, the businesses are franchisees that are required to purchase a property management system, which "handles reservations, checks guests in and out, assigns rooms, manages room inventory, and handles payment card transactions," according to the FTC's complaint. Wyndham Worldwide manages those servers and has sole administrator access, but the individual hotels pay Wyndham to support their property management systems and have access to the network.
The lack of security among the franchisees is what allowed the attackers to get in. One system had not been patched in more than three years, according to the FTC complaint.
Other companies that don't pay attention to contractors' and partners' security could also be in legal jeopardy, Post & Schell's Rein said.
"Wyndham, in their offices, probably has very good cybersecurity practices, but they license with small hotels all over the world and they are being held responsible for the cybersecurity practices of those hotels," he said. "The case could determine that you are responsible for everyone who is accessing your network, if they are doing it with your blessing."
3. Keep your privacy policy up to date
Privacy policies are often overlooked, but the claims in Wyndham's privacy policy are at the root of much of the FTC's complaint. The agency has claimed that the company isn't holding up its end of the agreement with the consumer.
To prevent a similar attack, companies should review their policies regularly and make sure they comply with their statements, Rein said.
"The FTC alleges that some of the practices on the ground were not consistent with Wyndham's privacy policy," he said. "That goes again to the communication between the IT folks handling security and whoever is keeping that policy up. It is important that those people are talking."
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.
