[ISN] Learning from Wyndham's Data Breach

From: InfoSec News <alerts_at_private>
Date: Wed, 26 Sep 2012 04:41:37 -0500 (CDT)
http://www.csdecisions.com/2012/09/25/learning-from-wyndhams-data-breach/

By Erin Rigik
Associate Editor
csdecisions.com
Sep 25, 2012

In today’s high tech world, no one is immune to a breach.

This June, The Federal Trade Commission (FTC) sued hotel dynasty Wyndham 
Worldwide Corp., after the company suffered multiple security breaches. 
Allegedly, customer credit card numbers and personal information were 
stolen from the company three times in less than two years.

The hotel behemoth is an international giant operating resorts and 
hotels under the Wyndham, Ramada, Super 8, Days Inn and Howard Johnson 
brands, among others. The amount of credit card data that passes through 
the company’s accounting system each month is staggering.

However, the FTC pointed the finger at Wyndham’s negligence in relation 
to security policies at the company’s Phoenix data center—where the 
company stores and transfers data between its headquarters and its 
individual business units. As a result, Russian hackers managed to 
infiltrate its system and install phishing software on a myriad of 
Wyndham servers, gaining access to more than 500,000 customer accounts 
on three separate occasions between 2008 and 2010. Hackers then rang up 
more than $10.6 million in fraudulent credit card transactions, 
according to the suit filed in the U.S. District Court of Arizona.

But more troubling was that even after the company learned of the 
breach, it failed to take action to prevent it from happening again, 
according to the FTC’s complaint, and as a result, the hackers were able 
to gain access on, not one, but two additional occasions. If Wyndham had 
added more complex user IDs and passwords, and made changes to software 
that was storing customer credit card data as unencrypted text, the 
company may have nipped the damage in the bud.

[...]


--
ExpandingSecurity.com Live OnLine classes won&#8217;t wreck your schedule.
Get that cert and be done before 2012 ends. Last ISSAP 2012 class starts
Sept. 25th. Last 2012 CISSP and CEH starts Oct. 1:
CEH info signup: http://www.expandingsecurity.com/product/ceh-certified-ethical-hacker-online/
CISSP info signup: http://www.expandingsecurity.com/product/cissp-live-online-10-week-course/
ISSAP info signup: http://www.expandingsecurity.com/product/issap-information-systems-security-architecture-professional/ 
Received on Wed Sep 26 2012 - 02:41:37 PDT

This archive was generated by hypermail 2.2.0 : Wed Sep 26 2012 - 02:37:12 PDT