A federal appeals court on Monday has ruled that the Federal Trade Commission does have the right to prosecute companies who fail to protect customer information.
The Philadelphia-based Third U.S. Circuit Court of Appeals ruled the FTC could proceed with a lawsuit against hotel chain Wyndham Worldwide Corp. for failing to take adequate precautions to prevent a cybersecurity breach.
Wyndham Worldwide, a corporation that operates hotels under the Days Inn, Howard Johnson, Ramada, Super 8, and Travelodge brands – suffered three breaches between 2008 and 2009. Hackers broke into its computer system and stole the personal information and credit card numbers of over 619,000 customers, leading to over US$10.6mil in fraudulent charges.
The FTC filed suit against Wyndham in June 2012, claiming that the firm’s computer systems unreasonably and unnecessarily exposed customer data to the risk of theft. Wyndham accused the FTC of unreasonable government oversight but U.S. District Judge Esther Salas in Newark, New Jersey declined to drop the charges.
Lawyers representing Wyndham argued the FTC's suit was unfair and that it would be the equivalent of allowing the government agency coerce the hotel to put an armed guard on every hotel door, or to sue supermarkets that didn't pick up banana peels.
The FTC's case depends on what would be deemed a reasonable amount of computer security, and it told the courts that Wyndham, which uses a centralized computer system for all its properties, didn't take reasonable precautions at all.
The suit cites the fact that the company's network was essentially wide open to attackers because Wyndham was apparently storing credit card numbers on its servers in plain text, had easily guessable passwords, little or no firewalls, and didn't check what operating systems its subsidiaries were using or change default user names and passwords. On one occasion, a hotel was using an outdated operating system that hadn't been patched for three years.
FTC also claimed that Wyndham network left ports open and unchecked for third-party suppliers to use. The company failed to inform its hotel network about the attacks nor did it follow up on them letting hackers use the same mechanism to gain access to corporate servers in subsequent attacks.