share
by Cheryl-Anne Sturken | June 28, 2012

This week, the Federal Trade Commission sued Wyndham Worldwide and three of its subsidiaries for security failures that resulted in three data breaches in less than two years. Those breaches, traced to a domain registered in Russia, resulted in the compromise of more than 619,000 consumer payment-card account numbers. While Wyndham is hardly the only hotel company to fall victim to data theft, it is the first to come under government fire in being charged with having "inadequate security practices" that caused "consumer injury." It is a given that the U.S. hospitality industry will be paying close attention to the outcome of this case.

The fact that hotels are a prime target for cyber theft should come as no surprise to hoteliers. The Verizon 2012 Data Breach Investigations Report released earlier this year confirmed that what it termed the "accommodation and food services industry" suffered the greatest number of data breaches. What's more, in its 2012 Global Security Report, Chicago-based data security company Trustwave noted that "industries with franchise models are the new cyber targets: More than a third of 2011 investigations occurred in a franchise business." And the franchise business for Wyndham, like its competitors, including Marriott International and Starwood Hotels & Resorts Worldwide, not only is a significant contributor to the bottom line, but a critical strategy for global growth. As such, the potential for increased risk and substantial loss is clearly evident.

According to the FTC suit filed June 26, 2012, in the United States District Court for the District of Arizona, Wyndham licensed the Wyndham brand name to some 90 independently owned hotels under franchise or management agreements, which allowed each hotel to configure and manage their own designated computer system. Those property-managed systems were then linked to Wyndham 's corporate network, including its central reservation system, which coordinates reservations across the Wyndham brand. Because Wyndham Worldwide was paid fees by its franchisees to manage those data systems and provide technical support, the FTC lawsuit charges that the company's failure to provide adequate security measures compromised individual property management systems, resulting in the "exposure of thousands of consumers' payment-card accounts."

Unfortunately, the hotel industry continues to be at significant risk of data breach. In March of this year, officials at the 323-room Desmond Albany Hotel and Conference Center in Albany, N.Y., announced it had been the victim of a "serious data security breach" between May 21, 2011, and March 10, 2012, which involved hackers gaining access to the property's computer system. That represents nearly a full 10 months of security compromise before the public was notified of potential financial exposure. Two years ago, Englewood, Colo.-based Destination Hotels & Resorts reported that guests at 21 of its properties had been subject to credit card theft. It is a security concern that is only going to intensify, warns data security and risk management experts. In a January 2012 guest column in Forbes magazine, Erin Nealy Cox, executive managing director and deputy general counsel for New York City-based digital risk management firm Stroz Friedberg, wrote that the hospitality industry will continue to experience major challenges and vulnerabilities because of its "reliance on tracking and storing detailed personal information about clients, and sharing that data across networks."

While space, dates and rates factor mightily in a meeting planners' site-selection decisions, it might be time to also ask some hard questions about the management and security of credit card data. As Nealy Cox questioned, "Is the day near when we'll see hotels marketing data security safeguards as much as the mint chocolate left out on the fluffed-up pillow?"

I'd say the answer is yes.