Connect with us

Hi, what are you looking for?


Incident Response

Wyndham Settles FTC Charges Without Paying Fine

Wyndham Worldwide has come to an agreement with the U.S. Federal Trade Commission (FTC) regarding the agency’s investigation into a series of data breaches at some of the hospitality giant’s hotels.

Wyndham Worldwide has come to an agreement with the U.S. Federal Trade Commission (FTC) regarding the agency’s investigation into a series of data breaches at some of the hospitality giant’s hotels.

The FTC sued Wyndham Worldwide in 2012 for security failures that resulted in three data breaches between 2008 and 2010. The breaches at Wyndham Hotels and Resorts properties allegedly resulted in the theft of data associated with hundreds of thousands of payment cards and fraudulent charges totaling millions of dollars.

In response to the FTC’s accusations, Wyndham argued that it responded appropriately to the data breaches — it promptly alerted authorities, hired forensics experts to investigate the incident, implemented security enhancements, notified affected customers and offered them credit monitoring services. Furthermore, the company says it hasn’t received any indication that its customers experienced financial loss due to the attacks.

Earlier this year, Wyndham challenged the FTC’s authority to take action against organizations with poor data security practices, but the U.S. Court of Appeals for the Third Circuit ruled that the FTC can sue firms that fail to safeguard consumer data.

Wyndham has now agreed to settle FTC charges, but the company will not have to pay a fine or admit to any wrongdoing. Instead, it will have to establish a comprehensive information security program designed to protect payment card data, and conduct annual security audits. The company will also have to ensure that the networks of its franchisees are properly protected.

The FTC has pointed out that these obligations are in place for 20 years.

“We are pleased to reach this settlement with the FTC, which does not hold Wyndham liable for any violations, nor require Wyndham to pay any monetary relief. We chose to defend against this litigation based on our strong belief that we have had reasonable data security in place, and that the FTC’s position could have had a negative impact on the franchise business model,” Wyndham stated.

Advertisement. Scroll to continue reading.

“This settlement resolves these issues, and sets a standard for what the government considers reasonable data security of payment card information. Safeguarding personal information remains a top priority for our company at a time when companies and government agencies are increasingly the targets of cyberattacks,” the company added.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Artificial Intelligence

Two new surveys stress the need for automation and AI – but one survey raises the additional specter of the growing use of bring...

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.