The anatomy and consequences of a hotel data breach

Sandy B. Garfinkel

Sandy B. GarfinkelData breach incidents have dominated the news in 2014, and they are only becoming more frequent and damaging. Security industry experts say that 78 percent of all companies and organizations in the U.S. suffered a data loss within the past two years.

Unfortunately, hotels are frequent targets for data thieves. Several factors are to blame: (1) hotels do a large amount of business through payment cards, a favored type of identity theft crime among cyber criminals; (2) hotels frequently tie their computer systems together with the computer systems of others; and (3) high employee turnover and poor employee training in security practices. 

Arguably the most notorious hotel data breach incidents happened to Wyndham Worldwide. In April 2008, hackers gained access to Wyndham’s computer system through a single computer in one of its franchised hotels. This computer's link to Wyndham’s property management and reservations system was used by the hackers to gain access to Wyndham’s servers. Once inside Wyndham’s system, the hackers obtained administrator passwords and access codes, compromising the computer systems of 41 properties. The intrusion was not detected for months.

Virtual Roundtable

Post COVID-19: The New Guest Experience

Join Hotel Management’s Elaine Simon for our latest roundtable—Post COVID-19: The New Guest Experience. The experts on the panel will share how to inspire guest confidence that hotels are safe and clean and how to win back guest business.

Despite Wyndham’s diligent efforts to identify and remedy system vulnerabilities, the hackers returned twice more in 2009. The second attack resulted in the compromise of information from 39 franchised hotels; the third, 28 hotels.

The hackers, believed to have been operating from Russia, stole guest credit and debit card account information. In total, more than 600,000 accounts were compromised and the potential for payment card fraud has been estimated to exceed $10 million.

The consequences to Wyndham have been serious and seemingly endless. Initially, Wyndham undertook the expensive process of issuing notifications to all affected individuals as required by the data breach notification statutes of 47 U.S. states. Wyndham also spent time and resources attempting to satisfy state consumer protection regulators and attorneys general that it was adequately responding to the breaches.

Wyndham also bore the legal costs of challenging assessments imposed by credit card companies for recovery of fraud costs associated with the breaches.

Wyndham’s woes were only just beginning. In April 2012, the Federal Trade Commission brought a lawsuit alleging that Wyndham had failed to use adequate security practices concerning consumer information, and that it amounted to unfair and deceptive trade practices. Wyndham’s motion to dismiss was denied by the court in early 2014. The case is ongoing.

Then, in May 2014, a Wyndham shareholder brought a derivative action against it; a motion to dismiss remains pending.

The accepted industry wisdom is that a determined hacker can get into virtually any system, regardless of how well it is protected. Industry experts and lawmakers are calling for faster and better intrusion response as a defense, through implementing closer monitoring and tighter protocols to detect breaches earlier and having cyber incident response plans. 

In the end, hotel owners, management firms and brands may not be able to avoid becoming victims of cyber attacks, much in the same way that Wyndham and its franchised hotels became victims. What hotel companies can control is their readiness to respond. 

Suggested Articles

Insurance companies believe that COVID-19-related losses should not be included in business interruption coverage, but the issue is far from settled.

The MMGY Global Travel Safety Barometer measures Americans’ perceptions of safety on a scale from 0 (extremely unsafe) to 100 (extremely safe).

The cards contain patented New Antimicrobial Layer technology to inhibit the growth and transmission of germs, viruses and pathogens.