Wyndham Worldwide has come to an agreement with the U.S. Federal Trade Commission (FTC) regarding the agency’s investigation into a series of data breaches at some of the hospitality giant’s hotels.
The FTC sued Wyndham Worldwide in 2012 for security failures that resulted in three data breaches between 2008 and 2010. The breaches at Wyndham Hotels and Resorts properties allegedly resulted in the theft of data associated with hundreds of thousands of payment cards and fraudulent charges totaling millions of dollars.
In response to the FTC’s accusations, Wyndham argued that it responded appropriately to the data breaches — it promptly alerted authorities, hired forensics experts to investigate the incident, implemented security enhancements, notified affected customers and offered them credit monitoring services. Furthermore, the company says it hasn’t received any indication that its customers experienced financial loss due to the attacks.
Earlier this year, Wyndham challenged the FTC’s authority to take action against organizations with poor data security practices, but the U.S. Court of Appeals for the Third Circuit ruled that the FTC can sue firms that fail to safeguard consumer data.
Wyndham has now agreed to settle FTC charges, but the company will not have to pay a fine or admit to any wrongdoing. Instead, it will have to establish a comprehensive information security program designed to protect payment card data, and conduct annual security audits. The company will also have to ensure that the networks of its franchisees are properly protected.
The FTC has pointed out that these obligations are in place for 20 years.
“We are pleased to reach this settlement with the FTC, which does not hold Wyndham liable for any violations, nor require Wyndham to pay any monetary relief. We chose to defend against this litigation based on our strong belief that we have had reasonable data security in place, and that the FTC’s position could have had a negative impact on the franchise business model,” Wyndham stated.
“This settlement resolves these issues, and sets a standard for what the government considers reasonable data security of payment card information. Safeguarding personal information remains a top priority for our company at a time when companies and government agencies are increasingly the targets of cyberattacks,” the company added.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Apple Denies Helping US Government Hack Russian iPhones
- Zero-Day in MOVEit File Transfer Software Exploited to Steal Data From Organizations
- Russia Blames US Intelligence for iOS Zero-Click Attacks
- Cisco Acquiring Armorblox for Predictive and Generative AI Technology
- Moxa Patches MXsecurity Vulnerabilities That Could Be Exploited in OT Attacks
- Organizations Warned of Salesforce ‘Ghost Sites’ Exposing Sensitive Information
- Organizations Warned of Backdoor Feature in Hundreds of Gigabyte Motherboards
- Barracuda Zero-Day Exploited to Deliver Malware for Months Before Discovery
Latest News
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Idaho Hospitals Working to Resume Full Operations After Cyberattack
- Enzo Biochem Ransomware Attack Exposes Information of 2.5M Individuals
- Apple Denies Helping US Government Hack Russian iPhones
- Zero-Day in MOVEit File Transfer Software Exploited to Steal Data From Organizations
- Google Temporarily Offering $180,000 for Full Chain Chrome Exploit
