FTC Has Power to Prosecute Companies over Slack Online Security
SHARE
, / 1147 0
computer Security

FTC also claimed that Wyndham network left ports open and unchecked for third-party suppliers to use.

A federal appeals court on Monday has ruled that the Federal Trade Commission does have the right to prosecute companies who fail to protect customer information.

The Philadelphia-based Third U.S. Circuit Court of Appeals ruled the FTC could proceed with a lawsuit against hotel chain Wyndham Worldwide Corp. for failing to take adequate precautions to prevent a cybersecurity breach.

Wyndham Worldwide, a corporation that operates hotels under the Days Inn, Howard Johnson, Ramada, Super 8, and Travelodge brands – suffered three breaches between 2008 and 2009. Hackers broke into its computer system and stole the personal information and credit card numbers of over 619,000 customers, leading to over US$10.6mil in fraudulent charges.

The FTC filed suit against Wyndham in June 2012, claiming that the firm’s computer systems unreasonably and unnecessarily exposed customer data to the risk of theft. Wyndham accused the FTC of unreasonable government oversight but U.S. District Judge Esther Salas in Newark, New Jersey declined to drop the charges.

Lawyers representing Wyndham argued the FTC's suit was unfair and that it would be the equivalent of allowing the government agency coerce the hotel to put an armed guard on every hotel door, or to sue supermarkets that didn't pick up banana peels.

The FTC's case depends on what would be deemed a reasonable amount of computer security, and it told the courts that Wyndham, which uses a centralized computer system for all its properties, didn't take reasonable precautions at all.

The suit cites the fact that the company's network was essentially wide open to attackers because Wyndham was apparently storing credit card numbers on its servers in plain text, had easily guessable passwords, little or no firewalls, and didn't check what operating systems its subsidiaries were using or change default user names and passwords. On one occasion, a hotel was using an outdated operating system that hadn't been patched for three years.

FTC also claimed that Wyndham network left ports open and unchecked for third-party suppliers to use. The company failed to inform its hotel network about the attacks nor did it follow up on them letting hackers use the same mechanism to gain access to corporate servers in subsequent attacks.

Wyndham stated in its privacy policy that guaranteed security does not exist on or off the internet, but it used proper security procedures, safeguarded its data with 128-bit encryption, and maintained proper firewalls. The FTC decided this wasn't true and filed a suit.

Author
Carrie Ann is Editor-in-Chief at Industry Leaders Magazine, based in Las Vegas. Carrie covers technology, trends, marketing, brands, productivity, and leadership. When she isn’t writing she prefers reading. She loves reading books and articles on business, economics, corporate law, luxury products, artificial intelligence, and latest technology. She’s keen on political discussions and shares an undying passion for gadgets. Follow Carrie Ann on Twitter, Facebook & Google.

Register today to get full access to:

All articles | Magazine archives | Livestream events | Comments

PASSWORD RESET


Register today to get full access to:

All articles | Magazine archives | Livestream events | Comments

LOGIN