The anatomy and consequences of a hotel data breach

Sandy B. Garfinkel

Sandy B. GarfinkelData breach incidents have dominated the news in 2014, and they are only becoming more frequent and damaging. Security industry experts say that 78 percent of all companies and organizations in the U.S. suffered a data loss within the past two years.

Unfortunately, hotels are frequent targets for data thieves. Several factors are to blame: (1) hotels do a large amount of business through payment cards, a favored type of identity theft crime among cyber criminals; (2) hotels frequently tie their computer systems together with the computer systems of others; and (3) high employee turnover and poor employee training in security practices. 

Arguably the most notorious hotel data breach incidents happened to Wyndham Worldwide. In April 2008, hackers gained access to Wyndham’s computer system through a single computer in one of its franchised hotels. This computer's link to Wyndham’s property management and reservations system was used by the hackers to gain access to Wyndham’s servers. Once inside Wyndham’s system, the hackers obtained administrator passwords and access codes, compromising the computer systems of 41 properties. The intrusion was not detected for months.


Like this story? Subscribe to Operations & Technology!

Hospitality professionals turn to Operations & Technology as their go-to source for breaking news on guestrooms, food & beverage, hospitality and technology trends, management and more. Sign up today to get news and updates delivered to your inbox daily and read on the go.

Despite Wyndham’s diligent efforts to identify and remedy system vulnerabilities, the hackers returned twice more in 2009. The second attack resulted in the compromise of information from 39 franchised hotels; the third, 28 hotels.

The hackers, believed to have been operating from Russia, stole guest credit and debit card account information. In total, more than 600,000 accounts were compromised and the potential for payment card fraud has been estimated to exceed $10 million.

The consequences to Wyndham have been serious and seemingly endless. Initially, Wyndham undertook the expensive process of issuing notifications to all affected individuals as required by the data breach notification statutes of 47 U.S. states. Wyndham also spent time and resources attempting to satisfy state consumer protection regulators and attorneys general that it was adequately responding to the breaches.

Wyndham also bore the legal costs of challenging assessments imposed by credit card companies for recovery of fraud costs associated with the breaches.

Wyndham’s woes were only just beginning. In April 2012, the Federal Trade Commission brought a lawsuit alleging that Wyndham had failed to use adequate security practices concerning consumer information, and that it amounted to unfair and deceptive trade practices. Wyndham’s motion to dismiss was denied by the court in early 2014. The case is ongoing.

Then, in May 2014, a Wyndham shareholder brought a derivative action against it; a motion to dismiss remains pending.

The accepted industry wisdom is that a determined hacker can get into virtually any system, regardless of how well it is protected. Industry experts and lawmakers are calling for faster and better intrusion response as a defense, through implementing closer monitoring and tighter protocols to detect breaches earlier and having cyber incident response plans. 

In the end, hotel owners, management firms and brands may not be able to avoid becoming victims of cyber attacks, much in the same way that Wyndham and its franchised hotels became victims. What hotel companies can control is their readiness to respond.